Spill procedures use the channel against the firewall-vulnerability warning-the black bar safety net

ID MYHACK58:62200715310
Type myhack58
Reporter 佚名
Modified 2007-05-02T00:00:00


Now many web applications such as using a firewall, and we ourselves may also in the proxy, the transparent gateway, etc. behind it for the overflow of communication caused a little trouble. Many people may think of shellcode active connection, this if the firewall is done well, no access to the outside as not, even without considering this firewall, and we ourselves may often be in a proxy or transparent gateway behind, consider this also is a problem. But we carefully consider consider data transmission issues, you will find that in fact all this did not imagine so difficult, in fact, already have something as we cleared the road, that is the data channel. So many questions afraid of is that we did not go to think, not to understand something. As long as we have access to the server,in fact, for now these applications, the intermediate has been established similar to the following, as a channel, in fact, the middle may be still more complex, but for our application, there will be such a channel. client <------> proxy <------> firlwall <------>server To use this channel,as long as we server found for this channel read and write calls on it. The following is specifically for IIS say the application. IIS has two kinds of interface, ISAPI and CGI, the main consideration of both the case of the application of the approach. 1, the ISAPI interface; the IIS server with the ISAPI communication is roughly this: ecb server<------>isapi typedef struct _EXTENSION_CONTROL_BLOCK {DWORD cbSize; // Size of this struct. DWORD dwVersion; // Version info of this spec HCONN ConnID; // Context number not to be modified! DWORD dwHttpStatusCode; // HTTP Status code CHAR lpszLogData[HSE_LOG_BUFFER_LEN];// null terminated log info specific to this Extension DLL LPSTR lpszMethod; // REQUEST_METHOD LPSTR lpszQueryString; // QUERY_STRING LPSTR lpszPathInfo; // PATH_INFO LPSTR lpszPathTranslated; // PATH_TRANSLATED DWORD cbTotalBytes; // Total bytes indicated from client DWORD cbAvailable; // Available number of bytes LPBYTE lpbData; // Pointer to cbAvailable bytes LPSTR lpszContentType; // Content type of client data BOOL (WINAPI * GetServerVariable); BOOL (WINAPI * WriteClient); BOOL (WINAPI * ReadClient); BOOL (WINAPI * ServerSupportFunction); } As can be seen the isapi there is a WriteClient and ReadClient support for clients to read, write, in fact it is for that channel to read, write. As long as we are in ISAPI overflow, the shellcode can be found in the ecb parameter, it can read and write to the channel, to achieve against the Firewall, with our client overflow program interactive features. This point can be considered an overflow of the register and the stack inside the parameters, etc. to see what is ecb parameters, it is not can also shellcode directly search the memory structure to find our own ecb, which two ways in my different procedures inside the use, the effect are good. Note that the apache ISPAI achieve not achieve the ReadClient function, probably because of there processing a request when it's not necessary to read the client, but you can totally by the ecb find the socket, and then directly calls the send function to send. Then there are many proxy gateway must not enable on the client------>proxy------>server------>proxy------>client,rather than client<------>proxy<------>server. So for such a proxy we don't let it become the middle part, because it would spoil our client with the shellcode of the good interactivity. 2、CGI interface; familiar with IIS the cgi interface a little maybe you will understand which data is of the following form: pipe pipe server------>cgi------>server See IIS this point processing of the data is also not completely interactive, so I started processing the CGI overflow when there is no way to use the open port, and then client connected to this port way to achieve. But for the above kind of good interactivity, deal with firewall and other functions, always have a miss, so it has been considered a solution. This time suddenly thought, although in this case the cgi is in a separate space inside, but will not inherit the server socket, still there are read and write that socket possible? So today in cgi shellcode inside is not a direct output or open port waiting for a connection after to be written inside, but the filling of the code to all the socket inside write, the good news is in the client inside successfully received from the shellcode information. This shows that this channel is on, the reading should be no problem. What is needed now is the shellcode inside how to find the correct socket. This point also requires technology to solve, but it should be no problem. For apache such as cgi,believe also have the same result, the desire should always be to the good point.

The above describes the iis of the two applications in the case of using a channel against the firewall, but look at that technology for other unix systems the application should be the same. After all this idea is system independent, the rest is just technical details. Is not also want to put your unix shellcode plus against the firewall function? Actually my overflow program to prepare there are many things you can consider drawing on it, like the overflow point positioning., the shellcode locate it, the original code is written shellcode to it, the shellcode encoded? and so on. Actually really want to do-it-yourself write a unix like system overflow attack program samples out,but a person can not do anything yeah, there are a lot of other things to do.