Forum Thread: Possible to Hijack an Attacker's Session?

Was having a discussion with some friends last night and the question came up: "Would it be possible to hijack an attacker's payload and control their computer through the open connection?"

Our hypothetical situation went something like this. Let's say I accidentally ran a reverse tcp EXE payload on my computer, giving an attacker a meterpreter shell and access to my box. Using netstat or likewise analysis I'm able to figure out the EXE file, IP address, and port the attacker is using.

Now the question is, would there be a way to reverse engineer or even create exploits of my own against the EXE so that I can use that open connection to MY advantage and essentially attack the attacker. Theoretically I think this might be possible, but practically I'm not so sure.

Any thoughts?

8 Responses

In a theoretical sense, I don't see why you couldn't connect back to them yourself. Practical? I'm not sure but I am interested in finding out!

Mmm... maybe. But not in the sense you have it. Perhaps you would inject something via TCP instead?

So possibly trying to find a vulnerability in the handler and exploiting that? Since the connection is open and all.

Or maybe modifying the payload EXE to return arbitrary code when they try running commands against it?

It's a bit of a brain buster. LOL

finding an exploit in the handler is the first thing i would come up with, since there is no firewall on that port.

then again, it might take months, perhaps years, to find such an exploit.

let's take it in a buffer overflow: if there is a variable that takes some sort of input over the network in the handler, you might be able to overflow it's buffer and get remote code execution! you need to put your time in this "just in case". if you then ever get attacked you could attack back immediately.

modifying the EXE might also work, but will take significant time because you need to reverse engineer the whole thing. and time is something you don't have when you are compromised

-Phoenix750

I agree. And either scenario would take a VERY long time, but would totally be worth it if it's ever found.

well you could create that exploit as a backup plan before you get attacked, just in case. the moment you are compromised, you can use it against the attacker.

-Phoenix750

Yeah, but you on't have an exploit for every situation.

yes but i don't hack but you can use the ip against them and if you got another computer connected to it and they don't have access to that you can ipban them

Share Your Thoughts

  • Hot
  • Active