Client side attacks - reverse connection through HTTP proxy

[tyronmiller at gmail.com (Ty Miller)]

Hey guys,

Thought this might be relevant for this discussion. This isn't included in
Metasploit yet, but at Blackhat this year I released "Reverse DNS Tunneling
Shellcode" that will connect out via DNS and bypasses all authenticated
proxies and firewalls. The only thing that will stop it is if the
organization has a Split DNS architecture implemented. This was why earlier
in the year I was asking whether DNS support had been implemented into
Metasploit yet.

I have only released the initial version (v0.3) at
http://www.projectshellcode.com so far, which was a little buggy, but have
been working on it since then to fix bugs and make the shellcode much more
stable. I am now up to v0.11, which is stable and works great, but has an
output limitation. I will be releasing v1.0 in the near future, which will
have no limitations and is stable.

Check it out at http://www.projectshellcode.com, and if you want the latest
version then drop me an email and i'll either release v0.11 or shoot it to
you directly.

Cheers,
Ty


On Tue, Dec 23, 2008 at 9:24 AM, natron <natron at invisibledenizen.org> wrote:

> Additionally, downloadexec works in that environment too.  You can
> combine the two to make passivex work with IE7/IE8.  The reason
> passivex doesn't work anymore is because of some new permissions that
> have to be set.  So, if you make a little .vbs script or similar that
> will nuke the right registry entries, passivex will load and all will
> work correctly.
>
> I've used a .vbs file that:
> 1) modifies the registry entries correctly for IE7/IE8
> 2) launches IE7 pointed towards your passivex handler
>
> FYI, in my testing of this payload, I realized that the current stage1
> loader completely nukes the security settings for IE6 for the Internet
> zone.  That's bad, bad, bad.  If you use it in real PT environment,
> realize that you have to come back later and clean up those registry
> settings or that computer is likely to get infected all day on the
> internet.  It will accept arbitrary activex from anyone and and
> automatically run it.  Track down the uninformed article on passivex
> for the details.
>
> But anyway, currently, the .vbs file has to be put into a
> self-extracting archive to get it to work correctly, which is stupid.
> I haven't had time to get the bugs ironed out so that you can do it
> all within msf.  Once I get that done, I'll send it out to the group.
>
> n
>
> 2008/12/22 Taras P. Ivashchenko <naplanetu at gmail.com>:
> > On Mon, 22 Dec 2008 16:50:09 -0500
> > ArcSighter Elite <arcsighter at gmail.com> wrote:
> >
> > At this moment IE6 is the most popular on win corporate desktops as I
> think and it's only one capability in Metasploit to by pass
> > target's firewall through HTTP proxy using IE proxy settings.
> > By the way it will interesting to try it :)
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Taras P. Ivashchenko wrote:
> > > > ArcSighter Elite, thanks!
> > > > I will try it.
> > > >
> > > > > If PassiveX stager would work on IE7/8 that would be awesome. It's
> all
> > > > > you need. It's basically IE connecting. And only uses POST/GET.
> > >
> > > Hey, hey! I just said that if it would work in IE7/8. Currently, it only
> > > works against IE6 as far as I know.
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.6 (GNU/Linux)
> > >
> > > iD8DBQFJUAszH+KgkfcIQ8cRAoqVAKDHSu69MroNHuN6/WkNAYryeZu7vgCgpLdx
> > > /WaiO4BF/4DcZXhq4PMGWDs=
> > > =uOmM
> > > -----END PGP SIGNATURE-----
> >
> >
> > --
> > ????? ???????? (Taras Ivashchenko), OSCP
> > www.securityaudit.ru
> > ----
> > "Software is like sex: it's better when it's free." - Linus Torvalds
> >
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081223/c22262b8/attachment.htm>