Bypassing ip restrictions with a backdoor

Posted: October 28, 2008 in midnight thoughts
Tags: , , ,

This idea popped in my head a while back and is still on my todo list (note: my todo list never shrinks). The following context/problem applies.

Suppose you want to steal information but the server you want to backdoor has got all ports ip restricted on an application level. Like a IIS instance which restricts users based on their ip address. How could this be bypassed without adjusting the IIS configuration or using a complicated rootkit. I thought of the following (note: this can also be implemented in ring0):

– hook the function responsible for sending/receiving data
– use Layered Service Provider http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx

Either of those should do. Now the trick is to abuse the response packages which indicate that the user with the incorrect ip address is not allowed to connect to the server. Those packages are always sent and thus not suspicious. It also means that if you modify those packages you do not have a extra outgoing connection, so there is no connection which could be killed by the firewall.

The hard part is to maintain some kind of session or stack to allow connection with multiple ip address. This prevents log analyses to determine that a certain ip address has requested the forbidden page like 4000 times. The beauty I think is that because the data is smuggled in already existing packages you defeat most firewalls. This is purely hypothetical because I haven’t had time to implement this yet. A rough sketch would look like this:

client: sends normal packet trying to access the server but including a password for example and a unique id
server:  rejects it cause the ip addresss is incorrect BUT our backdoor sniffs the packet and detects the password, it then builds a session using the supplied unique id. It modifies the outgoing reject packet injecting for example: ok:unique_id+1

After that the client can just keep sending packets including commands to do whatever it feels like from different ip addresses as long as it keeps the unique id and password. Our backdoor should then be able to run the received commands and use the rejection packets as transportation to get the response to the client.

Well this is just a thought and who knows maybe it’s usefull maybe it’s not…I won’t know until it’s implemented and tested.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s