v3,

Not exactly. There is a overflow which is exploited in the SVCHOST service, and shellcode is then wrote into the buffer and executed. The shellcode is what actually creates the open port (could use 80, if needed to bypass firewall) and not the SVCHOST service.

That exploit is a real vulnerability that worked on all Microsoft operating systems up until about a month ago. SVCHOST doesn't have any open ports, but it doesnt need any either. By sending a malformed rpc packet you are able to overflow the buffer and actually create your own portbind shell on whatever port you deem necessary.

No disinfo here. Totally plausible and while it was zero day it was pretty much a guaranteed way to get into a Microsoft system. Your system could have zero open ports and it would still work.

I also used telnet as a general remote connect software, but me personally would prefer SSH if connecting to a legit system, or netcat when doing things as described above.

I do appreciate the time you took to analyze what people have said though, its nice to see someone trying to disprove false information. I should have included more in my previous post about how it worked but didnt think many would understand even as much as I posted earlier.

what news source did this "snippet" come from?

Originally posted by deadline527
v3,

Not exactly. There is a overflow which is exploited in the SVCHOST service, and shellcode is then wrote into the buffer and executed. The shellcode is what actually creates the open port (could use 80, if needed to bypass firewall) and not the SVCHOST service.

That exploit is a real vulnerability that worked on all Microsoft operating systems up until about a month ago. SVCHOST doesn't have any open ports, but it doesnt need any either. By sending a malformed rpc packet you are able to overflow the buffer and actually create your own portbind shell on whatever port you deem necessary.

No disinfo here. Totally plausible and while it was zero day it was pretty much a guaranteed way to get into a Microsoft system. Your system could have zero open ports and it would still work.

Hey again,
For the sake of clarity, I wasn't suggesting that you were providing disinformation, sorry if I came off that way.

From what I gathered, the computer would have to actually run the .pl file to complete the circuit to allow the hack to operate. (this wouldn't be that hard to hide on a webpage or other script that would call it by the way)

The reason I say this, is that if my computer is sitting on the net, behind a NAT firewall, then any direct access to my external ip would meet my firewall and my computer would not even see the attempt to access it. Without a hardware firewall the point is of course moot. Software firewalls are "paper condoms" and should not be trusted. without any forwarded ports my computer may as well be invisible until I try to visit a webpage or such.

As with most firewalls, all outbound traffic is typically allowed, and once an outbound connection has been made, traffic back via that same conduit is allowed. So essentially if police were to require access to a computer, they need only to convince a person to make an outbound connection to a known point, probably "Click here to see the pedo alert on your neighbor" or something to that effect. Then access the backdoor, a similar .pl file or some other program. (*cough gotomypc.com...cough) Otherwise, I'm not sure how an externally initiated connection could bypass NAT.

I try not to code in perl or shellscript whenever possible so that might be where I'm lacking the answer. In any case, we can prove that police and others CAN in fact access your machine, the hoops they would need to go through would vary depending on your level of paranoia and expertise but it IS possible.

Thanks for reading
..Ex

The beauty of how it works is NOTHING has to be run on the target system. You only have to run the exploit from your system and you end up with a shell running on the target computer. This also goes to show how dangerous buffer overflows can be when you can use any number of useful shellcodes, in this example, a portbind shellcode for port 4444.

So you at your home system could actually have been hacked, with no knowledge at all. You would not have had to download anything, run anything, or anything of the sort. The only requirement is that you are running a Microsoft operating system with the SVCHOST service, which is ALL of them. The only difference between the systems is having to use a different offset for the exploit to work correctly.

I posted this example to counter someone said that the only way you can be hacked is by downloading, running, or using something that allows it. This cannot be further from the truth, and actually, the holy grail of exploit code is a remotely executable vulnerability that allows you to inject portbind shellcode.

Hopefully this makes a bit more sense.

The thing i have set up for my computer a encrypted flash drive with all the data i don't want anyone to get on it. i only plug it in when i need to and all other times it is hidden away.

They would have to hack my computer at just the right time and them find out my encryption system. even then the first and last of the drive is random garbage.

The joke with the government AES encryption is that with a simple addition of one bit of non-random garbage every 2 to 8 bits of info there backdoor becomes blocked.

The letter A is 8 bits 01000001 and if your program changes every third bit
you get 01100101 then encrypt that. when decrypted they will get 01100101
but you know to farther decrypted it by changing every third bit.

This is called Steganography
And programs can be written to do this.

This can be complex like in the first byte the third bit is changed and in the second byte the sixth bit is changed, ETC

This pattern can also be encrypted with a AES encryption making a encryption system that even the government can not break.

[edit on 4-1-2009 by ANNED]

If they were to show the judge that they obtained this incriminating information from your PC via some clandestine remote connection/ back door to your system , would that then not imply by virtue of this said backdoor that they had the capability to plant this information on your computer in the first place , thus making any use of any kind of information gathered this way as inadmissible ?

Originally posted by Drexl
If they were to show the judge that they obtained this incriminating information from your PC via some clandestine remote connection/ back door to your system , would that then not imply by virtue of this said backdoor that they had the capability to plant this information on your computer in the first place , thus making any use of any kind of information gathered this way as inadmissible ?

Sadly no. When the police question you, even if they lie to you it is still admissible. When the police currently arrest you, they can plant anything they would like, and you are still suspect until you can show it wasn't yours. (I know its backwards to innocent until proven guilty.)
eg:
A 15 year old kid was reported by yahoo to the police for uploading child porn to a yahoo group. Yahoo cited the kids IP and the police seized his computer and ran him through the mill. 2 years later it was finally discovered that a stealth ftp program was installed on his computer and he was simply being a mule for the dirtbags. Even though he was innocent the whole time, he was still ran through the system, completely messed up his life and destroyed his childhood.
(I saw this on an episode of 60 min or their competitor)

The moral of the story is that you need to protect yourself (hardware firewalls), by being aware of what is running on your system. Several apps will show you what is going on tcpview pro is good, or if you simple open a command prompt and type "netstat -an" with no quotes you'll see whats connecting on which ports.
Then google the port and you will have a better idea what is going on. (not fool proof, as bad apps can dictate their own ports. So ftp isn't always on 21/20)

..Ex

As luck would have it , only yesterday I found some good little ap that does some of what you say, ie the monitoring of ports etc . I do not know if i can give links, but the name on the image should be able to get you to the right page :

They are already in my computer. If they get really pissed at my posts they crash my computer. They have the ability to shut off my security at log on and go into the DOS and run simultaneously with me when I log on.
I have had to reload my computer every year. They also have the ability to take over my mouse and halt my backups. I also have to reload my security from time to time. I think the computer comes loaded with a mechanism that allows them to bypass normal security protocol.

Hello,

in germany this law is reality since begin of this year. People call it "The wet dream of the gestapo".

you will know that you have found a reason to live when you walk in a truth for which you are willing to die. At first a true patriot walks a path alone. He is ridiculed and scorned. But in the truth of his cause is a strength undeniable. Indestructable. It will take him across the threshold where he finally succeeds. Here, the masses will gladly join him in his cause. For at this point, it costs nothing to be a patriot.

Truth72

If this plan for intrusion without a warrant becomes Law, then it will be completely abused - as recent history has shown.

In the UK laws brought in a handful of years ago under the guise of being anti-terror - with assurances that they would never be used for any other purpose - have been abused to prosecute for offences as trivial as the wearing of a t-shirt bearing a slogan which insults Tony Blair, or daring to protest peacefully outside political conferences.

When local councils were granted permission to bring prosecutions using those same anti-terror laws, they abused the privilege by using it to monitor and prosectute people for allowing their dogs to foul pavements or park their cars in the wrong place.

The most worrying thing about this was just quickly - and how eagerly - the anti-terror law was adopted for use against citizens who were clearly not terrorists and were not involved in terrorist activity. So to think the situation will be any different and more restrained with this computer hacking law is nothing short of idiocy.

In the UK the Labour governemnt has ensured that rather than the Police serving to act primarily as a Police Force, they now serve to meet stringent targets for arrests. You only have to read blogs by Police Officers to see how this has led to a culture of prosecution for the most mundane and trivial offences - because when aiming for the targets, an arrest is an arrest.

Situations that in previous decades would have warranted nothing worse than a "word of advice" or a dressing down from a Police officer have routinely become automatic arrests. How much easier is it going to be to hit (and surpass!) these arrest targets under these new hacking plans? The Police would probably find a week's worth of "offendors" in a morning's hacking session. And they will.

What a warrantless hacking will lead to is a culture of Police officers trawling home PC's ooking for easy pickings, rather than focusing on serious cyber-criminals.

There is no reason or justification for this hacking to be allowed without a warrant. It's that simple.

and this next one
--------------------


Further to my previous advice here (was on encryption)

If anyone in your family should be arrested by the state over computer use, then this will help:

Each individual member of the family should totally deny ever using torrents to download ANYTHING illegal, say to the cops that someone else in the family may do it, but that you don't know who -stick to that story no matter what each of you, it is mostly impossible for them to know who is operating your unattended programs or downloads. Deny any knowledge of illicit content on the pc, no matter how incredulous this may sound the police cannot prove otherwise. Download some free and open content (eg movie trailers) from time-to-time, so that if they ask what YOU download, you can give examples -but always be vague...you are under no obligation to have a perfect memory no matter how hard officer jackboot shouts or how scary the threats. Always expect to be told 'another family member has blamed you' -that is a classic police interview trick to catch you out.

If everyone sticks to this 'story' NO MATTER WHAT, then the police are screwed allocating blame. Yes, they may ultimately confiscate the pc, but no-one gets prosecuted or set-up. They cannot hang you all on presumption of shared guilt...

If questioned on you browsing habits, just say that you cannot remember, that the others in the family are the geeks... -again, they cannot prove you cannot remember, they are screwed. Police try to catch you on 'micro detail', that is going back over your story time and time again looking for small detail changes -block that by being openly forgetfull and vague at all times.

Remember, none of the above has to be reality, you could be the only one in your family that uses a pc, but if you all have that story rehearsed properly, and are aware of police interview techniques, then you will be very hard for the state to harm by this route.