Metasploit mailing list archives

Re: Listeners that hijacking exisiting listen ports

From: HD Moore <hdm () metasploit com>
Date: Tue, 01 Dec 2009 09:40:13 -0600

On Tue, 2009-12-01 at 17:23 +0200, Konrads Smelkovs wrote:

This is just a quick idea I came up with and I wonder if it is
implementable at all. 
Sometimes, when exploiting vulnerabilities in DMZ systems it will be
difficult or impossible to get remote shell, because firewall will
filter incoming and outgoing connections. Would it be possible to
hijack the listening socket through which exploit arrived to a
specially crafted code, which would listen to that socket instead and
if first 10 bytes are magic string, then it spawns a shell, if not,
then passess the traffic back to original socket?


This is what the find_tag stagers do, however they only work when the
exploited application has access to the original socket handle. This
isn't the case with IIS or most DCERPC services in Windows, but does
work with most third-party products.

-HD

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Listeners that hijacking exisiting listen ports Konrads Smelkovs (Dec 01)
- Re: Listeners that hijacking exisiting listen ports HD Moore (Dec 01)
  - multiple remote windows open on vncinject Jeffs (Dec 01)
    - Re: multiple remote windows open on vncinject Patrick Webster (Dec 02)
  - the rewriting of exploit.rb Jeffs (Dec 02)
    - Re: the rewriting of exploit.rb Jeffs (Dec 02)
  - pardon me for plugging Rapid7 Jeffs (Dec 02)
    - Re: pardon me for plugging Rapid7 Danux (Dec 02)
- Re: Listeners that hijacking exisiting listen ports Amin Tora (Dec 01)