RE: pushing exploits through the Firewall

From: c.ehlen@bull.de
Date: Tue Feb 14 2006 - 06:31:49 EST


                                                                                                                                      
                      "Mike Gilligan"
                      <mikewgilligan@h An: pen-test@securityfocus.com
                      otmail.com> Kopie:
                                               Thema: pushing exploits through the Firewall
                      12.02.2006 09:42
                                                                                                                                      
                                                                                                                                      

Hi Mike,

>I'm curious how it would be possible to launch the exploit against the
>server when a packet filtering device and stateful inspection Firewall sit

>between the pentester and the vuln host. It would seem at first glance
that
>this is not a viable option. How else might one go about exploiting the
>vuln?

In issue 62 of Phrack magazine you can find an article called
"Advances_in_Windows_Shellcode" by sk.

(http://www.phrack.org/phrack/62/p62-0x07_Advances_in_Windows_Shellcode.txt)

Here is an abstract of the abstract:

"Firewall is everywhere in the Internet now. Most of the exploits
released in the public have little concern over firewall rules
because they are just proof of concept. In real world, we would
encounter targets with firewall that will make exploitation harder.
We need to overcome these obstacles for a successful penetration
testing job. The research of this paper started when we need to take
over (own) a machine which is heavily protected with rigid firewall
rules. Although we can reach the vulnerable service but the strong
firewall rules between us and the server hinder all standard exploits
useless."

If we assume that the firewall:

-blocks all port except for listening port of the service
-blocks all outgoing initial traffic from the target

you can still can exploit the target with shell- and/or payload with these
techniques:

-Find socket shellcode
-Reuse address shellcode
-Syscall Proxying

If the filter device is an DPI/ALG system, you can encapsulate the shell-
communication in the payload of encrypted (stenographed) real-world
protocol packets or maybe use some kind of evasion/mutation code.

I think you will find this exploiting techniques in most exploit
frameworks.

Regards,
Christian

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:31 EDT