Pass to kill some domestic firewall techniques-vulnerability warning-the black bar safety net

ID MYHACK58:6220055485
Type myhack58
Reporter 佚名
Modified 2005-12-16T00:00:00


Always have a dream: even if I could find some vulnerability or BUG or something. So after a long day at the computer 瞎弄 blind study? Research how to break through the firewall coupling here refers to the firewall is a software Personal Firewall, the hardware coupling also didn't condition it. Hey Hey, you also don't say, also really don't understand research, but also true to the even discovered most firewalls common problem. This BUG could allow us to trick the firewall to achieve access outside of the object, the specific situation is like? Consider the following commentary! First of all, I want to introduce the Windows System Properties, when a program is running, it cannot be deleted but can be renamed now! And when the system is protecting the program was deleted or corrupted, or renamed when the system will promptly call the backup file is given to restore it! I'll talk about the firewall, we all know that many of the firewall“application rules”in General the default will allow the IE browser iexplore.exe and Outlook Express msimn.exe and lsass.exe and spoolsv.exe and MSTask.exe and winlogon.exe and services.exe and svchost. exe by, and most of the firewall considers that as long as the rules of the path and the file name the same just Pass it! In such a detection method to decide whether to release, but it completely didn't take into account if it is another file to replace it?-- It is the equivalent of a Costume Piece in disguise surgery, easy content after the confirmation incredible! This gives us the opportunity, we can use this BUG to trick the firewall to reach the access outside the purpose! Tip: in fact, now most of the Trojans use the DLL plug-Threading Technology is the use of this principle, they first secluded on a certified release of the program processes such as Iexplore. exe process, then the DLL-Trojan inserted into this thread, and then visit the outside when you can easily break the firewall restrictions--because the firewall is not intercepting the authenticated release of the program. The principle finished, we now talk about the How to use this BUG! Here I use a virtual machine to do experiment, producing the following conditions: In order to more in line with reality, I gave the server install the“Skynet firewall”, Radmin, but due to the firewall specifies the access IP address, so no way a normal link!, and MSSQL SERVER, Serv-u. First, we use the commonly used method for port forwarding, look at the firewall have what reaction! First step, enable AngelShell Ver 1.0 in Fport to conduct port forwarding of the service end, almost can forward any port, and then in the local FportClient to be port forwarded to the client monitor! The second step, directly in the CMDSHELL to run“e:\www\fport.exe 4 8 9 9 7 7 8 8”, then we see the virtual machine in the“Skynet”of the Fport immediately carry out the interception.

See! Due to the Fport is not certified release, the firewall immediately to the blocker! OK, now we implement the deception plan, see even how to break through the firewall! Or do the first step, and then create a new batch, as follows: ren MSTask.exe MSTask1.exe ren fport.exe MSTask.exe MSTask.exe 4 8 9 9 7 7 8 8 Del %0 Named go. bat, followed by SqlRootKit the“Fport.exe”and go. the bat together with the copy to the target machine's c:\winnt\system32\is MSTask directory in SqlRootKit in the implementation of the go. bat Note If you want to change MSTask. exe name then you need to have administrator permissions. When FportClient emergence“has been accepted to a remote computer the connection!” When to use Radmin client to connect the machine 4 8 9 9 port.

We have successfully breakthrough the limit because the firewall does not limit local connections 4 8 9 9 port, we use Fport to forward its port, the login time is equal to the local connection, so we can successfully connect, and as a result, we of the present cannot escape through the firewall of Fport into a“plug thread”the art of port forwarding tool! According to my experiments, the domestic firewall almost without exception“owns”this BUG! Although this BUG will not bring the big harm, but always give the intruder a black our chance! WTF boss said alone better together, so I was released, one can let the domestic firewall has improved, the second is to give the network people a heads up on! Since the younger technology is limited, there will inevitably be mistakes, welcome to correct me criticism.

N/P NetPatch)