| |
| |
Radmin服务端保持连接不断问题分析与解决 |
来源:新人无忧整理编辑 点击数: 更新时间:2008-5-7 9:12:53  |
1、问题描述
Radmin是一个绝佳的远程控制软件,用来做跳板的后门再好不过了,不过每次连过跳板后,察看跳板连线,可以仍然看见我们和跳板上Radmin的连接,只不过显示为TIME_WAIT,且一直这样。
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING
TCP 192.168.11.1:139 0.0.0.0:0 LISTENING
TCP 192.168.72.1:139 0.0.0.0:0 LISTENING
TCP 192.168.168.220:1030 192.168.168.221:1034 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.11.1:123 *:*
UDP 192.168.11.1:137 *:*
UDP 192.168.11.1:138 *:*
UDP 192.168.11.1:1900 *:*
UDP 192.168.72.1:123 *:*
UDP 192.168.72.1:137 *:*
UDP 192.168.72.1:138 *:*
UDP 192.168.72.1:1900 *:*
UDP 192.168.168.220:123 *:*
UDP 192.168.168.220:1900 *:*
2、问题分析
初步猜测应该是setsocketopt设置超时有问题,可能是设置了无限超时?
调试Radmin服务端,下断点在setsocketopt,结果如下:
第一次断下来
71A42E30 > 8BFF MOV EDI,EDI
71A42E32 55 PUSH EBP
71A42E33 8BEC MOV EBP,ESP
71A42E35 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
71A42E39 0F84 25010000 JE WSOCK32.71A42F64
71A42E3F 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
71A42E42 837D 0C 06 CMP DWORD PTR SS:[EBP+C],6
71A42E46 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
71A42E49 74 75 JE SHORT WSOCK32.71A42EC0
71A42E4B FF75 18 PUSH DWORD PTR SS:[EBP+18]
71A42E4E 51 PUSH ECX
71A42E4F 50 PUSH EAX
71A42E50 FF75 0C PUSH DWORD PTR SS:[EBP+C]
71A42E53 FF75 08 PUSH DWORD PTR SS:[EBP+8]
71A42E56 E8 09000000 CALL <JMP.&WS2_32.#21__setsockopt@20>
71A42E5B 5D POP EBP
71A42E5C C2 1400 RETN 14
71A42E5F 90 NOP
71A42E60 90 NOP
71A42E61 90 NOP
71A42E62 90 NOP
71A42E63 90 NOP
71A42E64 - FF25 0010A471 JMP DWORD PTR DS:[<&WS2_32.#21__setsocko>; WS2_32.setsockopt
察看堆栈:
0012F808 0096D367 /CALL 到 setsockopt 来自 0096D362
0012F80C 0000007C |Socket [1] [2] [3] 下一页
| |
| |
|
