Full Disclosure mailing list archives
Re: Re[2]: JavaScript get Internal Address (thanks to DanBUK)
From: H D Moore <fdlist () digitaloffense net>
Date: Sat, 12 Aug 2006 12:41:09 -0500
On Saturday 12 August 2006 12:16, Thierry Zoller wrote:
OHoh, when can we expect a DNS tunnel, tunneling a shell through your DNS requests and DNS answers ? :) A nice remote shell thorugh dns tunnel over XSS. LOL :)
Heh. I actually have a plan for doing that :-) 1) Create a metasploit payload for communicating with shell/meterpreter via DNS queries and replies. This will not be a 'small' payload by any means, but should be feasible for all DCERPC and browser bug exploits. 2) Develop a custom DNS server for *.msf.metasploit.com 3) Provide a registration page where you can request a username/password 4) Provide a DNS sub-domain server in metaspoit 3.0. This attacker will connect to the metasploit.com web site, post the user/pass, and ask for a unique sub-domain that points back it its own address. This can be automated by the payload handler. 5) Select a DNS payload, select an exploit, exploit the target system. The payload is configured to "talk" to *.uniqueId.msf.metasploit.com, which actually runs on the system running the metasploit console. 6) The payload runs, the client resolves the NS record from our server, gets redirected to the attacking metasploit console, and communication starts. 7) Profit! The problems with this are: * Privacy concerns regarding the initial DNS request to msf.metasploit.com for the NS record of the attacker. Technically, this could violate a NDA if used on a penetration test. * The framework console would need to bind to port 53 (r00t on unix) and be accessible from the internet. * Need to develop a DNS service running in Ruby. Another time requirement. * It may not be that useful, but it does seem like a fun hack. With any luck, this can be accomplished using the built-in name resolution API in windows/unix/etc. * Really easy to signature if it always uses *.metasploit.com requests. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- JavaScript get Internal Address (thanks to DanBUK) pdp (architect) (Aug 12)
- Re: JavaScript get Internal Address (thanks to DanBUK) Martin Dipo Zimmermann (Aug 12)
- Re: JavaScript get Internal Address (thanks to DanBUK) pdp (architect) (Aug 12)
- Re: JavaScript get Internal Address (thanks to DanBUK) H D Moore (Aug 12)
- Re[2]: JavaScript get Internal Address (thanks to DanBUK) Thierry Zoller (Aug 12)
- Re: Re[2]: JavaScript get Internal Address (thanks to DanBUK) H D Moore (Aug 12)
- Re[4]: JavaScript get Internal Address (thanks to DanBUK) Thierry Zoller (Aug 12)
- Re: Re[2]: JavaScript get Internal Address (thanks to DanBUK) Pavel Kankovsky (Aug 13)
- Re: JavaScript get Internal Address (thanks to DanBUK) Alexander Sotirov (Aug 14)
- Re[2]: JavaScript get Internal Address (thanks to DanBUK) Thierry Zoller (Aug 12)
- Re: JavaScript get Internal Address (thanks toDanBUK) nikolay (Aug 12)
- Re: JavaScript get Internal Address (thanks to DanBUK) Martin Dipo Zimmermann (Aug 12)