Metasploit mailing list archives
Re: Listeners that hijacking exisiting listen ports
From: Amin Tora <amintora () gmail com>
Date: Tue, 1 Dec 2009 12:05:02 -0500
This is definitely doable on the endpoint system - as in coding to use existing connections. However very tricky when it comes to the communication stream hijacking. The difficulty depends on what L3 or L4 protocol you are using: L3 (ICMP, IGMP, IP) , L4 (TCP,UDP). Firewalls will hold state tables for each, and depending on the protocol you are utilizing, you'd have to either guess/infer the state of the existing connections or be in the direct path of the communication. Due to randomization in sequencing, this attack can prove very difficult to accomplish if you are not in the direct path of the communication. This not only applies to firewalls, but to the TCP/IP stack communication state on the endpoint as well. -amin On Dec 1, 2009, at 10:23 AM, Konrads Smelkovs wrote:
Hello, This is just a quick idea I came up with and I wonder if it is implementable at all. Sometimes, when exploiting vulnerabilities in DMZ systems it will be difficult or impossible to get remote shell, because firewall will filter incoming and outgoing connections. Would it be possible to hijack the listening socket through which exploit arrived to a specially crafted code, which would listen to that socket instead and if first 10 bytes are magic string, then it spawns a shell, if not, then passess the traffic back to original socket? -- Konrads Smelkovs Applied IT sorcery. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-amin _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Listeners that hijacking exisiting listen ports Konrads Smelkovs (Dec 01)
- Re: Listeners that hijacking exisiting listen ports HD Moore (Dec 01)
- multiple remote windows open on vncinject Jeffs (Dec 01)
- Re: multiple remote windows open on vncinject Patrick Webster (Dec 02)
- the rewriting of exploit.rb Jeffs (Dec 02)
- Re: the rewriting of exploit.rb Jeffs (Dec 02)
- pardon me for plugging Rapid7 Jeffs (Dec 02)
- Re: pardon me for plugging Rapid7 Danux (Dec 02)
- multiple remote windows open on vncinject Jeffs (Dec 01)
- Re: Listeners that hijacking exisiting listen ports Amin Tora (Dec 01)
- Re: Listeners that hijacking exisiting listen ports HD Moore (Dec 01)