Dailydave: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness

[Dave Aitel <dave () immunitysec com>]

Just to sum up SK Chong's pdf since BlackHat's website is entirely too 
slow: He details 3 major methods of doing socket reuse on Windows:
1. LSD-style getpeername loop. This method typically looks up the 
incoming port or IP of each socket and does a compare against a static 
port or IP. One advantage of this method is that it's small and somewhat 
reliable, but it has issues "in the wild" as network conditions exceed 
simple point to point connections. Basically, against a webserver you 
will likely be going through a reverse proxy. And, of course, you may be 
hacking from within a network you don't have full control over. You 
can't be redoing the NAT filters on your targets network every time you 
want to hack from it. This is still the most widely used method I've 
seen - in fact, this is the method everyone else but Immunity and 
.gov.cn and a few other random people use (Halvar, for example :>), as 
far as I know.
2. Bind-code can be used to listen on the same socket as Inetinfo or 
another service if it hasn't said it wasn't to be exclusive. This is not 
as useful as you'd think, since people keep connecting, and you might 
not be the next one.
3. Fork+kill inetinfo+bind-code. This is a bit...uh...mean spirited.

Now there are three other ways I know about:
1. If you're in inetinfo.exe you can patch it manually, intercepting 
every request and looking for keywords. Codered has code you can look at 
for this, I believe. But you might not be in Inetinfo, of course, cause 
most overflows are in ISAPIs that run in dllhost.exe and communicate 
with Inetinfo via DCOM. They don't even have a socket, so if you did 
want to use cheesy getpeername loop shellcode to find the socket, you'd 
find ws2_32.dll isn't even loaded. The common solution is to load 
ws2_32.dll, init it, and do a callback, but that's not the point. :> 
Besides, what if your ISAPI doesn't have the priviledges to even load 
ws2_32.dll? Possible.
2. If you were at G-Con 1 several years back you saw an amazing talk by 
Anakata which detailed some advanced shellcodes he'd written that did 
all sorts of amazing things. One of them was a full RSA and RC4 
implementation in x86 assembly. But that's not that point here. The one 
relating to stealing sockets is his initial implementation of "GOcode". 
Basically it goes to each socket, sends a G down it, and waits for a 
sec. Then it reads one byte. If it gets an O (hence, the GOcode) then it 
knows it has the right socket. CANVAS uses GOcode for SPARC Solaris, 
Linux, and Windows. Bas Alberts spent a long time making it actually 
work. It sounds easy, but especially on Win32 there are a lot of 
"gotchas". This is usually pretty big code and maybe some people are 
wondering why their connection happened to get a G sent to it - but it 
has one major advantage: It doesn't care about NAT devices.  (Various 
people use PEEK as a refinement on this technique).
3. If you search Google for "readclient shellcode" you can see that 
several Chinese exploits  have been succesful at using the 
readclient/writeclient ISAPI functions for back communications. This is 
excellent work, but they do leave out one detail - how do you find the 
connection ID that you'll need to make it work? The shellcode they post 
publicly appears to assume it's in a particular place, which is not 
common in my experience. My new shellcode overcomes that problem, and of 
course, fits into MOSDEF's framework. So you can hack a box over port 
443 and then continue that SSL conversation with your new MOSDEF Node.
http://www.google.com/search?q=shellcode+readclient

Keep in mind SK totally crushed me at the little hacking competition 
that year in BlackHat. I had to ask David Litchfield for help and I 
still got like 3rd place. It's a really good talk, and he's done some 
good followup work on kernel shellcode.
And yes, the correct answer was FX. :>

-dave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave