[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <44E02B2D.1090705@determina.com>
Date: Mon, 14 Aug 2006 00:50:05 -0700
From: Alexander Sotirov <asotirov@...ermina.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: JavaScript get Internal Address (thanks to
DanBUK)
H D Moore wrote:
> 1) Create a metasploit payload for communicating with shell/meterpreter
> via DNS queries and replies. This will not be a 'small' payload by any
> means, but should be feasible for all DCERPC and browser bug exploits.
>
> 2) Develop a custom DNS server for *.msf.metasploit.com
>
> 3) Provide a registration page where you can request a username/password
How about a custom DNS server that takes queries like
*.1.2.3.4.msf.metasploit.com and returns a SOA that points to the 1.2.3.4 IP
address? This will force the client to contact the name server at 1.2.3.4
directly, avoiding the need for registration.
> The problems with this are:
>
> * Privacy concerns regarding the initial DNS request to msf.metasploit.com
> for the NS record of the attacker. Technically, this could violate a NDA
> if used on a penetration test.
The domain name in the payload will be configurable, so you can set it to
myowndomain.com instead of msf.metasploit.com. If you are a pentester, you can
probably afford to run your own nameserver.
> * The framework console would need to bind to port 53 (r00t on unix) and
> be accessible from the internet.
The same is true for all browser exploits in the framework.
> * It may not be that useful, but it does seem like a fun hack. With any
> luck, this can be accomplished using the built-in name resolution API in
> windows/unix/etc.
I think DNSAPI.DLL has all the functionality you need for the payload. Look at
WinDNS.h in the Platform SDK, specifically the DnsQuery() function. I just spent
an entire weekend reversing this dll, so I know it pretty well by now :-)
Alex
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists