Overflow program uses channels to anti-firewall

zhaozj2021-02-08  213

Now there are a lot of web and other applications use a firewall. We can also be behind a proxy, transparent gateway, etc., which has caused a small trouble for overflowing and other communications. Many people will think that shellcode is actively connected. If the firewall is doing well, it is not allowed to visit the outside, even if this firewall is not considered, we may tend to be behind the agent or transparent gateway, consider this is also a problem.

But we carefully consider considering the issue of data transmission, it will find that it is actually that it is not imagined, in fact, there is already something to clear the road for us, that is, the data channel. So many problems are afraid that we have not thought that there is no understanding. As long as we visited Server, in fact, in the middle of the application, there is a way similar to the same channel, in fact, the intermediate may be more complex, but for our application, there will be such a channel.

Client <------> proxy <------> Firlwall <------> Server

To use this channel, as long as we found the read and write calls for this channel on Server. The following is a specific application for IIS. IIS has two interfaces, ISAPI and CGI, which mainly consider these two applications.

1, ISAPI interface; IIS's Server and ISAPI communication are roughly like this:

ECB

Server <------> Isapi

Typedef struct _extension_control_block

{DWORD CBSIZE; / / SIZE OF THIS STRUCT.

DWORD DWVERSION; // Version Info of this Spec

HCONN Connid; // context number not to be modified!

DWORD DWHTTPSTATUSCODE; // http status code

Char lpszlogdata [hse_log_buffer_len]; // Null Terminated log Info Specific To this Extension DLL

LPSTR LPSZMETHOD; // Request_Method

LPSTR LPSZQUERYSTRING; // Query_String

LPSTR LPSZPATHINFO; // Path_info

LPSTR LPSZPATHTRANSLATED; // PATH_TRANSLATED

DWORD CBTOTALBYTES; // Total Bytes IND from Clom Clom Clom Clom Clom Clom

DWORD CBAVAILABLE; / / AVAILABLE NUMBER OF BYTES

LPBYTE LPBDATA; / / POINTER TO CBAVAILABLE BYTES

LPSTR LPSZCONTENTTYPE; // Content Type of Client Data

Bool (WinApi * GetServerVariable);

BOOL (WinAPI * WriteClient);

Bool (WinApi * ReadClient);

Bool (WinAPI * ServersupportFunction);

}

It can be seen that there is a WriteClient and ReadClient support to read, write to the customer, in fact, is written for that channel. As long as we are in Isapi overflow, shellcode can find this ECB parameter, you can read and write this channel, implement the anti-firewall, and interact with our client overflower. This can consider the register and the parameters in the stack. What is the ECB parameter, it can not be able to search the memory structure directly to find our own ECB. These two ways are used in my different programs, the effect Nice. Note that Apache's ISPAI implementation does not implement the readclient function, it may not be needed to read the client because it feels that the request is handled, but you can use the ECB to find the socket, then call the send function. Then there are many proxy (gateways must not) implement a client ------> proxy ------> Server ------> Proxy ------> Client, not Client <------> proxy <-----> server. So we don't let them become an intermediate link for such an agent, as this will destroy our client and shellcode good interactivity.

2, CGI interface; familiar with IIS's CGI interface, it will understand that its data is the following form:

PIPE PIPE

Server ------> CGI ------> Server

Seeing IIS This processing data is also not completely interacting, so I started to deal with the overflow of CGI, and I can't use the opening port, and then the Client is even implemented by this Port. But for the good interactivity above, dealing with firewall, etc., always feel a doctor, so it has always considered a solution.

During this time, although the CGI is in a separate space, it will not inherit the SOCKET of Server, and still read the might of reading the socket? So today, I didn't write directly or on the CGI's shellcode. After the PORT waited, it was written in the inside of the PORT, but fills the code to all sockets, which is welcome to successfully receive information from shellcode in the client. This shows that this channel is through, and it should be no problem. Now what is needed is how to find this correct Socket in Shellcode. This also requires technology to solve, but there should be no problem.

For CGIs such as Apache, I believe that there is also the same result, and the desire should always be better.

The above use of the two applications of IIS use channels to antirefireless walls, but see that the technology should be the same for other systems such as Unix. After all, this idea is systematic, and there is only technical details. Do you want to put the shellcode under your UNIX with the function of anti-firewall? In fact, there are many things in my overflow programs, you can think about it, like overflow point positioning, shellcode positioning, the original code writes shellcode, shellcode encoding, etc. In fact, I really want to write a spilling attack program for a satisfactory Unix system, but a person can't do anything, and there are still many other things to do.

转载请注明原文地址:https://www.9cbs.com/read-2092.html

New Post(0)