[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060813191448.41FD.0@paddy.troja.mff.cuni.cz>
Date: Sun, 13 Aug 2006 19:30:06 +0200 (CEST)
From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
To: H D Moore <fdlist@...italoffense.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Re[2]: JavaScript get Internal Address (thanks
to DanBUK)
On Sat, 12 Aug 2006, H D Moore wrote:
> 1) Create a metasploit payload for communicating with shell/meterpreter
> via DNS queries and replies. This will not be a 'small' payload by any
> means, but should be feasible for all DCERPC and browser bug exploits.
nstx code fits into 20 kB. Not small but not too huge either.
And you can probably bootstrap it with a tiny loader downloading the rest
of code via DNS. In fact data download over DNS is much simpler than full
bidirectional communication, and you can take advantage of DNS caching to
save bandwidth during mass attacks against targets within a single
network. <g>
> * Privacy concerns regarding the initial DNS request to msf.metasploit.com
> for the NS record of the attacker. Technically, this could violate a NDA
> if used on a penetration test.
> * Really easy to signature if it always uses *.metasploit.com requests.
The solution is easy: do not hardwire the domain, make it configurable,
and let people (who care) set up their own servers with their own domain
names.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists