Metasploit mailing list archives
Re: Listeners that hijacking exisiting listen ports
From: HD Moore <hdm () metasploit com>
Date: Tue, 01 Dec 2009 09:40:13 -0600
On Tue, 2009-12-01 at 17:23 +0200, Konrads Smelkovs wrote:
This is just a quick idea I came up with and I wonder if it is implementable at all. Sometimes, when exploiting vulnerabilities in DMZ systems it will be difficult or impossible to get remote shell, because firewall will filter incoming and outgoing connections. Would it be possible to hijack the listening socket through which exploit arrived to a specially crafted code, which would listen to that socket instead and if first 10 bytes are magic string, then it spawns a shell, if not, then passess the traffic back to original socket?
This is what the find_tag stagers do, however they only work when the exploited application has access to the original socket handle. This isn't the case with IIS or most DCERPC services in Windows, but does work with most third-party products. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Listeners that hijacking exisiting listen ports Konrads Smelkovs (Dec 01)
- Re: Listeners that hijacking exisiting listen ports HD Moore (Dec 01)
- multiple remote windows open on vncinject Jeffs (Dec 01)
- Re: multiple remote windows open on vncinject Patrick Webster (Dec 02)
- the rewriting of exploit.rb Jeffs (Dec 02)
- Re: the rewriting of exploit.rb Jeffs (Dec 02)
- pardon me for plugging Rapid7 Jeffs (Dec 02)
- Re: pardon me for plugging Rapid7 Danux (Dec 02)
- multiple remote windows open on vncinject Jeffs (Dec 01)
- Re: Listeners that hijacking exisiting listen ports Amin Tora (Dec 01)
- Re: Listeners that hijacking exisiting listen ports HD Moore (Dec 01)