Full Disclosure mailing list archives
Re: JavaScript get Internal Address (thanks to DanBUK)
From: Alexander Sotirov <asotirov () determina com>
Date: Mon, 14 Aug 2006 00:50:05 -0700
H D Moore wrote:
1) Create a metasploit payload for communicating with shell/meterpreter via DNS queries and replies. This will not be a 'small' payload by any means, but should be feasible for all DCERPC and browser bug exploits. 2) Develop a custom DNS server for *.msf.metasploit.com 3) Provide a registration page where you can request a username/password
How about a custom DNS server that takes queries like *.1.2.3.4.msf.metasploit.com and returns a SOA that points to the 1.2.3.4 IP address? This will force the client to contact the name server at 1.2.3.4 directly, avoiding the need for registration.
The problems with this are: * Privacy concerns regarding the initial DNS request to msf.metasploit.com for the NS record of the attacker. Technically, this could violate a NDA if used on a penetration test.
The domain name in the payload will be configurable, so you can set it to myowndomain.com instead of msf.metasploit.com. If you are a pentester, you can probably afford to run your own nameserver.
* The framework console would need to bind to port 53 (r00t on unix) and be accessible from the internet.
The same is true for all browser exploits in the framework.
* It may not be that useful, but it does seem like a fun hack. With any luck, this can be accomplished using the built-in name resolution API in windows/unix/etc.
I think DNSAPI.DLL has all the functionality you need for the payload. Look at WinDNS.h in the Platform SDK, specifically the DnsQuery() function. I just spent an entire weekend reversing this dll, so I know it pretty well by now :-) Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- JavaScript get Internal Address (thanks to DanBUK) pdp (architect) (Aug 12)
- Re: JavaScript get Internal Address (thanks to DanBUK) Martin Dipo Zimmermann (Aug 12)
- Re: JavaScript get Internal Address (thanks to DanBUK) pdp (architect) (Aug 12)
- Re: JavaScript get Internal Address (thanks to DanBUK) H D Moore (Aug 12)
- Re[2]: JavaScript get Internal Address (thanks to DanBUK) Thierry Zoller (Aug 12)
- Re: Re[2]: JavaScript get Internal Address (thanks to DanBUK) H D Moore (Aug 12)
- Re[4]: JavaScript get Internal Address (thanks to DanBUK) Thierry Zoller (Aug 12)
- Re: Re[2]: JavaScript get Internal Address (thanks to DanBUK) Pavel Kankovsky (Aug 13)
- Re: JavaScript get Internal Address (thanks to DanBUK) Alexander Sotirov (Aug 14)
- Re[2]: JavaScript get Internal Address (thanks to DanBUK) Thierry Zoller (Aug 12)
- Re: JavaScript get Internal Address (thanks toDanBUK) nikolay (Aug 12)
- Re: JavaScript get Internal Address (thanks to DanBUK) Martin Dipo Zimmermann (Aug 12)