Research on WebServer port redirection Backdoor

0x00Some time ago, a friend asked me a question about "no port is available. In the Intranet environment shown in, firewall only allows port 80 of the Web Server to establish a network connection, and port 80 on the Web Server has been occupied by software such as IIS and Apache, how to create a RAT backdoor.

 0x01This problem was taken into account by the famous backdoor byshell earlier, so we used a very frustrating solution. The client sends data to port 80. The server opens the IIS process and cyclically traverses the entire memory of the IIS process to find the data mark. Obviously, this method is not feasible in terms of efficiency and stability. This method is not used here. In the past, someone proposed a method for port reuse to create a backdoor. This method uses the setsockopt () API, which is used to set socket options in MSDN. The prototype is as follows. Int setsockopt (SOCKET s, int level, int optname, const char FAR * optval, int optlen); here we only care about its third parameter, which is used to set the SOCKET status. This parameter has a value of SO_REUSEADDR. MSDN explains this parameter as follows. The state of the SO_REUSEADDR socket option determines whether the local transport address to which a socket will be bound is always shared with other sockets. this socket option applies only to listening sockets, datemedisockets, and connection-oriented sockets. that is to say, when the value of the third parameter is set to SO_REUSEADDR, the socket port can be shared and reused. The specific sharing details are post-live, and then the socket that establishes the parameter link gets the data first. This method is currently effective for Apache, IIS5.0, and earlier versions. Why isn't IIS6.0 or above working? It will be explained later.0x02Through Reverse and open source code check, we can know that Apache and IIS5.0 and below use the IOCP model at the application layer for communication. Despite the complicated framework, they still create sockets at the application layer. Do you have any new ideas here? Yes, I thought of using a remote thread to inject a DLL for Api Hook such as WSARecv () and WSASend () to get the buffer pointer of socket and asynchronous IO, and then using getpeername () the function compares the client information and then uses the socket for IO. Alternatively, you can use a simpler and more crude method to directly install an LSP using SPI, or capture data, but it is more difficult to communicate with each other. We will summarize this method of establishing a socket communication transfer communication process at the application layer. The red line indicates the available areas. Some students may ask why Rootkit cannot be directly used? It is theoretically easy to consider this issue from the ring0 layer. We can use the filter driver of TDI or NDIS to directly filter the traffic of all I/O NICs. However, to write such a heavyweight backdoor, there is indeed the meaning of "killing chickens with a cool. In addition, you can also use ssdt hook and irp hook under the TCP driver to solve the problem. But why not? Because the driver is no longer a programming trend for Windows Trojans.0x03Do you still remember the IIS6.0 and later versions mentioned above? A new problem has emerged. Starting from IIS6.0, Microsoft may consider security, stability, and data processing efficiency. It encapsulates the network communication process on the ring0 layer and uses http. sys driver for direct network communication. As shown in. In this way, the application layer has no socket, and we cannot use the above method to solve this problem. What should we do? Is the application layer no longer usable? This does not match the Geek style. After preliminary inversion of w3wp.exe, we found some usable places. In this process, all HTTP requests that are not handled by ring0are processed by the w3wp.exe process. For HTTP requests, I thought of the following points for the network communication process. 1. GET or POST access to files on the hard disk may need to be completed through the application layer CreateFile (), ReadFile (), WriteFile. (Api hook ?) 2. Does the standard string processing function not be used for HTTP-based protocols that parse most of the content by ANSI strings? (Or api hook ?) 3. To explain ASP, PHP, and JSP scripts, you may need to submit the data to the interpretation engine. (Inline hook ?)0x04Based on the above points, I also verified them one by one. Here, we need to note that OllyDbg's Attach debugging stability for low-permission processes is not good and often crashes. So I changed the Windbg, which is very ugly. Microsoft's own debugger has very stable programs. First, bp created CreateFileW () and got a pleasant surprise .. Windbg blocks CreateFileW (), and in the first parameter, we see the submitted "fuckyou1234". Here we can use if (wcsncmp (s1, L "fuckyou1234", 11) to obtain the backdoor command. However, I also found the available places through the back-propagation of multiple string processing functions. For example, the breakpoint of the wcsstr () function successfully captures cookies and other HTTP-related information. Cookies can submit more content than URLs, and bypass some logs and filter. As shown in. This is the initial result of reversing the first two problems. As for the third problem, we have to keep it for the moment. Now we have a new question. When we get the role execution command, we cannot let it go to w3wp.exe, a low-privilege process. So how can we let him implement the High-permission process? Also, how can we return the execution result to the client?0x05Now, I have kept a course of study, and set up the event object and the mail trough to accept the Command sent by w3wp.exe. To feed data back to the client, we can redirect the first parameter of CreateFileW () to direct it to the pipeline or to the output file on a hard disk. when the data is sent to the client () we can smoothly feedback our execution results to the client. This involves communication between high and low-permission processes. For kernel objects created by a high-permission process, you must set the Security attribute to a low-permission inherited handle, and set the Security Descriptor and DACL. Only kernel objects such as events, mail slots, and pipelines can be opened by low-permission processes. The Code is as follows. Finally, I used the content mentioned above to write the following backdoor. HANDLE secCreateEventPort (WCHAR * szNameEvent) {SECURITY_DESCRIPTOR SecDescriptor = {0}; SECURITY_ATTRIBUTES SecurityAttributes = {0}; if (Response (& SecDescriptor, response) = FALSE) return response; if (SetSecurityDescriptorDacl (& SecDescriptor, TRUE, NULL, FALSE) = 0) return INVALID_HANDLE_VALUE; SecurityAttributes. bInheritHandle = TRUE; SecurityAttributes. lpSecurityDescriptor = & SecDescriptor; SecurityAttributes. nLength = sizeof (SECURITY_ATTRIBUTES); return CreateEvent (& SecurityAttributes, TRUE, FALSE, szNameEvent );}