Dailydave mailing list archives
A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness
From: Dave Aitel <dave () immunitysec com>
Date: Thu, 06 Jan 2005 21:57:27 -0500
Just to sum up SK Chong's pdf since BlackHat's website is entirely too slow: He details 3 major methods of doing socket reuse on Windows:
1. LSD-style getpeername loop. This method typically looks up the incoming port or IP of each socket and does a compare against a static port or IP. One advantage of this method is that it's small and somewhat reliable, but it has issues "in the wild" as network conditions exceed simple point to point connections. Basically, against a webserver you will likely be going through a reverse proxy. And, of course, you may be hacking from within a network you don't have full control over. You can't be redoing the NAT filters on your targets network every time you want to hack from it. This is still the most widely used method I've seen - in fact, this is the method everyone else but Immunity and .gov.cn and a few other random people use (Halvar, for example :>), as far as I know.
2. Bind-code can be used to listen on the same socket as Inetinfo or another service if it hasn't said it wasn't to be exclusive. This is not as useful as you'd think, since people keep connecting, and you might not be the next one.
3. Fork+kill inetinfo+bind-code. This is a bit...uh...mean spirited. Now there are three other ways I know about:1. If you're in inetinfo.exe you can patch it manually, intercepting every request and looking for keywords. Codered has code you can look at for this, I believe. But you might not be in Inetinfo, of course, cause most overflows are in ISAPIs that run in dllhost.exe and communicate with Inetinfo via DCOM. They don't even have a socket, so if you did want to use cheesy getpeername loop shellcode to find the socket, you'd find ws2_32.dll isn't even loaded. The common solution is to load ws2_32.dll, init it, and do a callback, but that's not the point. :> Besides, what if your ISAPI doesn't have the priviledges to even load ws2_32.dll? Possible.
2. If you were at G-Con 1 several years back you saw an amazing talk by Anakata which detailed some advanced shellcodes he'd written that did all sorts of amazing things. One of them was a full RSA and RC4 implementation in x86 assembly. But that's not that point here. The one relating to stealing sockets is his initial implementation of "GOcode". Basically it goes to each socket, sends a G down it, and waits for a sec. Then it reads one byte. If it gets an O (hence, the GOcode) then it knows it has the right socket. CANVAS uses GOcode for SPARC Solaris, Linux, and Windows. Bas Alberts spent a long time making it actually work. It sounds easy, but especially on Win32 there are a lot of "gotchas". This is usually pretty big code and maybe some people are wondering why their connection happened to get a G sent to it - but it has one major advantage: It doesn't care about NAT devices. (Various people use PEEK as a refinement on this technique).
3. If you search Google for "readclient shellcode" you can see that several Chinese exploits have been succesful at using the readclient/writeclient ISAPI functions for back communications. This is excellent work, but they do leave out one detail - how do you find the connection ID that you'll need to make it work? The shellcode they post publicly appears to assume it's in a particular place, which is not common in my experience. My new shellcode overcomes that problem, and of course, fits into MOSDEF's framework. So you can hack a box over port 443 and then continue that SSL conversation with your new MOSDEF Node.
http://www.google.com/search?q=shellcode+readclientKeep in mind SK totally crushed me at the little hacking competition that year in BlackHat. I had to ask David Litchfield for help and I still got like 3rd place. It's a really good talk, and he's done some good followup work on kernel shellcode.
And yes, the correct answer was FX. :> -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness Dave Aitel (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness Anthony . zboralski (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness H D Moore (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness halvar (Jan 07)