Re: Listeners that hijacking exisiting listen ports

[Amin Tora <amintora () gmail com>]

This is definitely doable on the endpoint system - as in coding to use existing connections. However very tricky when 
it comes to the communication stream hijacking. The difficulty depends on what L3 or L4 protocol you are using: L3 
(ICMP, IGMP, IP) , L4 (TCP,UDP).  Firewalls will hold state tables for each, and depending on the protocol you are 
utilizing, you'd have to either guess/infer the state of the existing connections or be in the direct path of the 
communication.  Due to randomization in sequencing, this attack can prove very difficult to accomplish if you are not 
in the direct path of the communication. This not only applies to firewalls, but to the TCP/IP stack communication 
state on the endpoint as well.

-amin



On Dec 1, 2009, at 10:23 AM, Konrads Smelkovs wrote:

> Hello,
>
> This is just a quick idea I came up with and I wonder if it is implementable at all. 
> Sometimes, when exploiting vulnerabilities in DMZ systems it will be difficult or impossible to get remote shell, 
> because firewall will filter incoming and outgoing connections. Would it be possible to hijack the listening socket 
> through which exploit arrived to a specially crafted code, which would listen to that socket instead and if first 10 
> bytes are magic string, then it spawns a shell, if not, then passess the traffic back to original socket?
> --
> Konrads Smelkovs
> Applied IT sorcery.
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework


-amin




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework