Latest changes from defcon russia for dns transport#23
Latest changes from defcon russia for dns transport#23max3raza wants to merge 15 commits intosempervictus:rebase-defcon_ru-dns_transportfrom max3raza:rebase-defcon_ru-dns_transport
Conversation
max3raza
changed the title
sempervictus
left a comment
sempervictus
left a comment
There was a problem hiding this comment.
Getting this merged and run-tested this week, please pardon the delay - somewhat swamped.
|
|
||
| while (stime + ctimeout > Time.now.to_i) | ||
| begin | ||
| client = Rex::Socket::Tcp.create( |
There was a problem hiding this comment.
Might as well use UDP here if we're instantiating a socket for every call. If i can get native DNS to work, this wont be an issue, but session-channels may be an appropriate mechanism for this proxy semantic.
| # @return [OptAddress] | ||
| def self.DOMAIN(default=nil, required=true, desc="Domain name") | ||
| Msf::OptString.new(__method__.to_s, [ required, desc, default ]) |
There was a problem hiding this comment.
Clever hackery, not sure if this is the best way to implement since every module load would instantiate these opts for every domain name. Also not sure about using a name such as "default" for anything. Still though, clever :)
|
|
||
| # @return [OptEnum] | ||
| def self.REQ_TYPE(default=nil, required=true, desc="Domain name") | ||
| Msf::OptEnum.new(__method__.to_s, [ required, desc, 'DNSKEY', ['IPv6', 'DNSKEY']]) |
| def stage_over_connection? | ||
| false | ||
| end | ||
| #def stage_over_connection? |
There was a problem hiding this comment.
Why the change to an HTTP payload?
sempervictus
left a comment
sempervictus
left a comment
There was a problem hiding this comment.
Round 2 of review. Merge testing ongoing presently.
| OptAddress.new('RHOST', [true, 'HANDLER BIND IP', '']), | ||
| OptString.new('SERVER_ID', [true, 'SERVER ID', 'toor']), | ||
| OptEnum.new('REQ_TYPE', [ true, 'Type of DNS tunnel', 'DNSKEY', ['IPv6', 'DNSKEY']]), | ||
| OptAddress.new('RHOST', [true, 'DNX PROXY IP', '']), |
There was a problem hiding this comment.
"DNS proxy IP" - though i suggest "DNS Server IP" since i'm working toward a native handler as well
| client = nil | ||
|
|
||
| print_status("Started bind handler") | ||
| print_status("Started bind-DNS handler") |
|
|
||
| # Start a new handling thread | ||
| self.listener_threads << framework.threads.spawn("BindTcpHandlerListener-#{lport}", false) { | ||
| self.listener_threads << framework.threads.spawn("BindTcpHandlerListener-#{lport}", false) { |
| #If last connection has a valid session or died | ||
| if (framework.sessions.length > 0) | ||
|
|
||
| framework.sessions.each_sorted do |k| |
There was a problem hiding this comment.
I'm a bit confused on the logic here - you end up with "session" being the last session in the sorted list, so why not just sessions.sort.last?
| opts = { | ||
| :datastore => datastore, | ||
| :expiration => datastore['SessionExpirationTimeout'].to_i, | ||
| :comm_timeout => 60*60*24, |
There was a problem hiding this comment.
Suggest pulling this from the datastore - tunable.
| # Start a new thread and pass the client connection | ||
| # as the input and output pipe. Client's are expected | ||
| # to implement the Stream interface. | ||
| conn_threads << framework.threads.spawn("BindDnsHandlerSession", false, client) { |client_copy| |
There was a problem hiding this comment.
client_copy is a bit of a misnomer here - its the original object being passed into the thread. Example:
2.4.2 :001 > a = []; Thread.new(a) {|b| b << 1}
=> #<Thread:0x00000033659320b8@(irb):1 run>
2.4.2 :002 > a
=> [1]
If you dont want the original object, client.clone/dup/etc does the trick
| #SEND SERVER_ID | ||
| client_copy.put([server_id.length].pack("C") + server_id) | ||
| conn = client_copy | ||
| #First connect, stage is needed? (or it not the first session and stage alredy there.. |
There was a problem hiding this comment.
I'm thinking there's a more graceful way to do this (and i dont just mean replacing strings with symbols)... will get back to this once i have a rational plan :).
3 participants
Uh oh!
There was an error while loading. Please reload this page.