Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: JavaScript get Internal Address (thanks to DanBUK)
From: Alexander Sotirov <asotirov () determina com>
Date: Mon, 14 Aug 2006 00:50:05 -0700

H D Moore wrote:
1) Create a metasploit payload for communicating with shell/meterpreter 
via DNS queries and replies. This will not be a 'small' payload by any 
means, but should be feasible for all DCERPC and browser bug exploits.

2) Develop a custom DNS server for *.msf.metasploit.com

3) Provide a registration page where you can request a username/password

How about a custom DNS server that takes queries like
*.1.2.3.4.msf.metasploit.com and returns a SOA that points to the 1.2.3.4 IP
address? This will force the client to contact the name server at 1.2.3.4
directly, avoiding the need for registration.

The problems with this are:

* Privacy concerns regarding the initial DNS request to msf.metasploit.com 
for the NS record of the attacker. Technically, this could violate a NDA 
if used on a penetration test.

The domain name in the payload will be configurable, so you can set it to
myowndomain.com instead of msf.metasploit.com. If you are a pentester, you can
probably afford to run your own nameserver.

* The framework console would need to bind to port 53 (r00t on unix) and 
be accessible from the internet.

The same is true for all browser exploits in the framework.

* It may not be that useful, but it does seem like a fun hack. With any 
luck, this can be accomplished using the built-in name resolution API in 
windows/unix/etc.

I think DNSAPI.DLL has all the functionality you need for the payload. Look at
WinDNS.h in the Platform SDK, specifically the DnsQuery() function. I just spent
an entire weekend reversing this dll, so I know it pretty well by now :-)

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault