A friend issued me on a website. I look at it carefully today, yes, so I will put it online.
Now there are a lot of web and other applications use a firewall. We can also be behind a proxy, transparent gateway, etc., which has caused a small trouble for overflowing and other communications. Many people will think that shellcode is actively connected. If the firewall is doing well, it is not allowed to visit the outside, even if this firewall is not considered, we may tend to be behind the agent or transparent gateway, consider this is also a problem. But we carefully consider considering the issue of data transmission, it will find that it is actually that it is not imagined, in fact, there is already something to clear the road for us, that is, the data channel. So many problems are afraid that we have not thought that there is no understanding. As long as we visited Server, in fact, in the middle of the application, there is a way similar to the same channel, in fact, the intermediate may be more complex, but for our application, there will be such a channel. Client <----> Firlwall <------> Server To use this channel, as long as we find the read and write call for this channel on Server. . The following is a specific application for IIS. IIS has two interfaces, ISAPI and CGI, which mainly consider these two applications. 1, ISAPI interfaces; the server to communicate with the IIS ISAPI is roughly: ecbserver <------> isapi typedef struct _EXTENSION_CONTROL_BLOCK {DWORD cbSize; // Size of this struct.DWORD dwVersion; // Version info of this specHCONN ConnID ; // Context number not to be modified DWORD dwHttpStatusCode;! // HTTP Status codeCHAR lpszLogData [HSE_LOG_BUFFER_LEN]; // null terminated log info specific to this Extension DLLLPSTR lpszMethod; // REQUEST_METHODLPSTR lpszQueryString; // QUERY_STRINGLPSTR lpszPathInfo; // PATH_INFOLPSTR lpszPathTranslated ; // PATH_TRANSLATEDDWORD cbTotalBytes; // Total bytes indicated from clientDWORD cbAvailable; // Available number of bytesLPBYTE lpbData; // Pointer to cbAvailable bytesLPSTR lpszContentType; // Content type of client dataBOOL (WINAPI * GetServerVariable); BOOL (WINAPI * WriteClient) Bool (WinAPI * READCLIENT); BOOL (WinApi * ServersupportFunction);} It can be seen that there is a writtenclient and readclient support to the customer's reading, in fact, this is the read, write. As long as we are in Isapi overflow, shellcode can find this ECB parameter, you can read and write this channel, implement the anti-firewall, and interact with our client overflower. This can consider the register and the parameters in the stack. What is the ECB parameter, it can not be able to search the memory structure directly to find our own ECB. These two ways are used in my different programs, the effect Nice.
