lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 14 Aug 2006 00:50:05 -0700
From: Alexander Sotirov <asotirov@...ermina.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: JavaScript get Internal Address (thanks	to
	DanBUK)

H D Moore wrote:
> 1) Create a metasploit payload for communicating with shell/meterpreter 
> via DNS queries and replies. This will not be a 'small' payload by any 
> means, but should be feasible for all DCERPC and browser bug exploits.
> 
> 2) Develop a custom DNS server for *.msf.metasploit.com
> 
> 3) Provide a registration page where you can request a username/password

How about a custom DNS server that takes queries like
*.1.2.3.4.msf.metasploit.com and returns a SOA that points to the 1.2.3.4 IP
address? This will force the client to contact the name server at 1.2.3.4
directly, avoiding the need for registration.

> The problems with this are:
> 
> * Privacy concerns regarding the initial DNS request to msf.metasploit.com 
> for the NS record of the attacker. Technically, this could violate a NDA 
> if used on a penetration test.

The domain name in the payload will be configurable, so you can set it to
myowndomain.com instead of msf.metasploit.com. If you are a pentester, you can
probably afford to run your own nameserver.

> * The framework console would need to bind to port 53 (r00t on unix) and 
> be accessible from the internet.

The same is true for all browser exploits in the framework.

> * It may not be that useful, but it does seem like a fun hack. With any 
> luck, this can be accomplished using the built-in name resolution API in 
> windows/unix/etc.

I think DNSAPI.DLL has all the functionality you need for the payload. Look at
WinDNS.h in the Platform SDK, specifically the DnsQuery() function. I just spent
an entire weekend reversing this dll, so I know it pretty well by now :-)

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ