Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200924727
HistorySep 21, 2009 - 12:00 a.m.

Dialysis hacking techniques of penetration of the firewall to the Shellcode-exploit warning-the black bar safety net

2009-09-2100:00:00
佚名
www.myhack58.com
7
JSON

Summary

1. Remote shellcode several ways

2. Reuse the current connection technology of some of the issues and advantages

3. Win32 platform-specific implementation

4. Linux x86 platform specific implementation

5. AIX PowerPC platform-specific implementation

** Implementation introduction**

** 1. Remote shellcode several ways**

1.1 listening port

1.1.1 monitor the new port

1.1.2 re-use the original port

1.1.2.1 port multiplexing

1.1.2.2 re-binding

1.2 reverse connection

1.3 multiplexing of the current connected SOCKET

1.3.1 IIS the ECB structure

1.3.2 getpeername

1.3.3 fcntl to set the socket state

1.3.4 ioctl(Linux/Unix)and ioctlsocket(Win32)

1.3.5 using OOB features

1.3.6 Hook system The recv call

Reuse the current connection technology description

** 2. Reuse the current connection technology of some of the problems and advantages**

2.1 bind shell

Unix can be directly to the SOCKET as“/bin/sh”input and output handles. Under Win32, the socket()function implicitly specifies the overlap flag, it creates the SOCKET is overlapped socket(overlapped socket), not directly to the cmd. exe to the stdin, the stdout and stderr of the steering to the socket, only with a conduit(pipe)to the cmd. exe process the transmission data. winsock is recommended to use overlapped sockets, so the actual use as much as possible with pipes. WSASocket()to create the SOCKET the default is Non-overlapped sockets, can be directly to the cmd. exe to the stdin, the stdout and stderr of the steering to the socket.

Reuse the current connection technology description

2.2 multi-threaded environment, the search SOCKET

-=-=-=-=-=- start sample code=-=-=-=-=-=-=

s = WSASocket(2,1,…)

bind(s,…)

listen(s,…)

s2 = accept(s,…)

-=-=-=-=-=- end sample code=-=-=-=-=-=-

When s is in the accept state when any of the s-operation ofnetworkthe function will be in a wait state, until a connection is established. First with WaitForSingleObjectEx treatment handle, when s is in an accept state when it will return WAIT_TIMEOUT, can be used to handle returns WAIT_OBJECT_0. Then use the ioctlsocket/recv processing to determine whether the current connected socket.

Reuse the current connection technology description

2.3 advantages

Reuse the current connection technology is relatively hidden, but also for Win32 using the pipe binding cmd. exe, and server interaction data can be used to xor the approach to coding, further evade IDS detection. Just find SOCKET shellcode can be written relatively short, found a SOCKET, you can then continue to receive one period of the function more complex shellcode to the buffer, and then jump into the execution. For the subsequent shellcode will not have any character and length restrictions. Or even receive a dll file to achieve more complex functions.

Win32 platform-specific implementation

** 3. Win32 platform-specific implementation**

3.1 port multiplexing implementation

Port reuse shellcode requires the service to re-bind at 0. 0. 0. 0 address, but not using the SO_EXCLUSIVEADDRUSE option.

Client-side attacks when you need to put the service end of the specific IP and port write shellcode inside.

Shellcode is executed: the

setsockopt(s, 0xFFFF, 4, &d, 4);

bind(s, &sockaddr, 0x10);

With netstat-na on the server-side view can see the same port have 0. 0. 0. 0 and the specific IP of the two bindings. If the service terminal in the NAT environment, there may be a problem.

Win32 platform-specific implementation

3.2 re-binding of the original port of implementation

CreateProcess()to create a suspend mode of the process. GetThreadContext()to get the thread’s context structure and registers the information. Use VirtualAllocEx()in the process to allocate memory. Put the shellcode instruction with WriteProcessMemory()to write the process just allocated space. SetThreadContext()GetThreadContext()to get the EIP is modified to point to VirtualAllocEx () - allocated memory address. ResumeThread()to resume the suspend mode process. TerminateProcess(-1, 0)is to terminate the current process. The loop binding of the original port.

Win32 platform-specific implementation

3.3 getpeername to find the socket

The client sends the attack string before using the getsockname function to get the socket local information, the corresponding information is written into the shellcode. The service end of the shellcode starting from 1 incremented to find the socket, and use the getpeername function to get the socket remote information. If the two information match, you think to find the socket, out of the incremental cycle, and the shell bound in this socket. There is a big limitation, if the client is in a NAT network environment, the client getsockname to obtain the socket information and services to end getpeername to obtain the socket information is not necessarily consistent, leading to find the socket failed.

Win32 platform-specific implementation

3.4 string matching to find the socket

The client after sending the attack data packets, and then send a few bytes of the string, in the service end of the shellcode to an increment of the socket value to receive the corresponding byte of the string, and then matching whether the current connected socket. This method avoids the getpeername in the NAT network environment restrictions. A multi-threaded environment is easy to handle to accept the next socket, and in General the network function will enter a wait state until a connection is established. flier mentioned WaitForSingleObjectEx deal with this in the accept socket will return WAIT_TIMEOUT, can be used to handle returns WAIT_OBJECT_0.

Win32 platform-specific implementation

3.4 string matching to find the socket

The lookup process is as follows:

while (1)

{

i++;

ret = WaitForSingleObjectEx(i, 1 0, 1);

if (ret != 0) continue;

ret = ioctlsocket(i, FIONREAD, &ul);

if (ul != 4) continue;

recv(i, buff, 4, 0);

if( *(DWORD *)buff == ‘Xc0n’) goto shell;

}

bkbll testing to find the socket()function creates a handle to the in accept after the user has getsockname operation, then follow-up WaitForSingleObjectEx returns WAIT_TIMEOUT (0x102)。

Win32 platform-specific implementation

3.5 Hook system The recv call

Use VirtualProtect to set the real recv function the start address of the 5 bytes to be written. The real recv the beginning of the instruction to jump to a new recv function. In the new recv function to put the 5 bytes instruction change back. Call the real recv to perform a system would have the operation. Then the real recv function the start address of the 5 bytes to jump to a new recv instruction. Compare whether the received data is agreed string, 如果是就绑定一个cmd.exe otherwise jump to onto the stack the return address, the system continues to the original process. This method can bypass the rpc-like mechanism, it is possible to search again the connection of the socket.

Win32 platform-specific implementation

3.6 file upload and download capabilities to achieve

Must be client and the shellcode to make a tight fit. Upload files need for the client to open and read files sent to the service end, the service end of the shellcode to create and write to the file. Download file need service the end of the shellcode opens the Read file is sent to the client, the client creates and writes the file. Due to the non-blocking connection, Upload a file, the service end of the shellcode must determine the socket whether there is data to be received, if not close the handle, perform the follow-up process. Download the file, the client must determine the socket whether there is data. select and ioctlsocket can achieve this function. a select compilation of the implementation is relatively complex, ioctlsocket need in the transmission buffer block is greater than the receive buffer block case.

Win32 platform-specific implementation

3.6 file upload and download capabilities to achieve

The client and server end of the shellcode can use an agreed key for the transmission of data done xor operation, since the pipe binding cmd, then the interaction of the command is coded to further enhance concealment, evade IDS detection.

Linux x86 platform specific implementation

** 4. Linux x86 platform specific implementation**

4.1 fcntl to set the socket state

scz the earliest use of this method, the basic idea is as follows:

while (1)

{

i++;

oldflags = fcntl(i, F_GETFL, 0);

fcntl(i, F_SETFL, oldflags | O_NONBLOCK);

read(i, buf, 4);

fcntl( i, F_SETFL, oldflags );

if (buf == ‘Xc0n’) goto shell;

}

Linux x86 platform specific implementation

4.2 the use of OOB features

bkbll the first use of the technology. The Berkeley socket implementation of OOB data in General is not blocked, find the process roughly as follows:

while (1)

{

i++;

recv(i, buf, 1, 1);

if (buf == ‘I’) goto shell;

}

Unix/Linux the method is simple, and effective.

Linux x86 platform specific implementation

4.3 using ioctl function of some characteristics

the ioctl of FIONREAD can determine handle how much data can be read, and generally case will not be blocked. Find socket streamThe routine is as follows:

while (1)

{

i++;

ioctl(i, FIONREAD, &ul);

if (ul != 4) continue;

read(i, buf, 4);

if (buf == ‘Xc0n’) goto shell;

}

Linux x86 platform specific implementation

4.4 file upload and download capabilities to achieve

And Win32 implementations are similar, just the Linux/Unix seems to be no additional through a pipe to bind the/bin/sh, so the shell in interactive data can not be coded. Covert resistance may be poor.

AIX PowerPC specific implementation

** 5. AIX PowerPC platform-specific implementation**

The cache mechanism

instruction cache

data cache

AIX PowerPC specific implementation

PowerPC self-modifying code according to the following steps:

Store the modified instruction.

Perform dcbst instruction, mandatory contains a modified instruction of the cache lines stored.

Executes a sync instruction to ensure dcbst is completed.

Perform the icbi instruction, so that will be storing the modified instruction in the instruction cache line is invalid.

Perform the isync instruction, to clear all instructions in the instruction pipeline, those instructions at high speed

The cache line is set to invalid before may already be removed.

You can now run the modified command. When this instruction occurs when instruction cache fails, the result will be from the memory to obtain a modified instruction.

AIX PowerPC specific implementation

Some AIX is no cache management instructions.

The simple solution is to do self-modifying after execution of a system interrupt, then the back will be able to correctly perform a self-modified instruction.

To achieve the decoding of the shellcode, for the realization of complex shellcode to do good Foundation.

AIX PowerPC specific implementation

5.1 the use of OOB features

And Linux x86 to achieve a similar

Difficulties:

Each version of AIX, the system call number is not the same, resulting in the virus not available.

JSON