Caution emule sell you
EMULE (eDonkey) is a completely free and open source P2P software, just because it is completely free, I am very popular among netizens, everyone really likes to use it to exchange network resources. However, when we fully enjoy the benefits of the software to our network, we cannot ignore its security, and recently exposed the loopholes of the software.
Cause of vulnerability
The general software security issues are the same because of the problems generated by partial code or other architectures when writing software, it is also the same because the software does not correctly handle malformations correctly on the web page, so we can use this vulnerability to apply The program is attacked. The way to send the request is POST data or GET data. The attacker is based on this principle to send a malformed GET request to cause crash to the EMULE program. Here we can see that the emule will be requested to enter and exit when the server is connected (Figure 1).
figure 1
Attack vulnerability host
Attackers If you want to attack, you will find a host with a vulnerability. If you want to access the network, you can turn on a specific port, so you can attack when scanned to an open emule specified port host. EMULE defaults open ports 4662 and 4672 ports, by scanning these two ports, attackers can lock the target.
Then the attacker confirms that the software opens will use the scanning tool, scan the specified 4662 port (Figure 2).
figure 2
After scanning, you will find a large number of open target hosts. The attacker then spilled the target using the eDonkey attack tool EMULE042E existing in the network. After the attacker runs the EMULE042E program, this program will automatically compile, attack, and the attack command is "USAGE: Perl Emule042e 202.105. * 4662
30
"
(Figure 3).
image 3
Here, EMULE042E.PL is an attack program used by an attacker, 202.105. *. * Is the IP address of the target host, as for 4662, the attacker finds the specific port of the eDonkey program, and the 30 representative attack programs will be made on the target host. Continuous 30 attacks. . This way when we run, if you use this software, you will generate a denial of service, resulting in the crash of the entire application. The tool we have to prepare is NC called the Swiss army knife, because after overflow, we will use NC to listen to the overflowed port, because the overflow port will return a command shell to us. As shown in Figure 4:
Figure 4
In Figure 4, the NC command we use is representative of the 4662 port of this machine, so when we use the emule042e.pl, then after the overflower attacks the target host, if the target host has been overflow, then a command will return a command Shell to our computer, so it should be noted here that the NC listening port should be turned on so before using the overflower, so that we use NC to listen to the port, get the shell after the overflow. As we can see from Figure 4, we use overflow after listening, directly enter the system directory of the SYSTEM32 of the target system, then after this, we can use TFTP to upload your own Trojans or backmen, because we have obtained The administrator privilege of the target host.
Defense overflow
No one wants your computer to be controlled by others, so friends who use the emule software should be more careful. However, it is impossible to let these EMULE enthusiasts use other software.
If you want to defense an attacker, you first need to update the software version, download the latest emule, then use a specific port to modify the tool, change the 4662 port used by the emule, so that the attacker can not find the entrance of the attack.
