Re: [Full-disclosure] JavaScript get Internal Address (thanks to DanBUK)

[Alexander Sotirov <asotirov@xxxxxxxxxxxxx>]

H D Moore wrote:
> 1) Create a metasploit payload for communicating with shell/meterpreter 
> via DNS queries and replies. This will not be a 'small' payload by any 
> means, but should be feasible for all DCERPC and browser bug exploits.
> 
> 2) Develop a custom DNS server for *.msf.metasploit.com
> 
> 3) Provide a registration page where you can request a username/password

How about a custom DNS server that takes queries like
*.1.2.3.4.msf.metasploit.com and returns a SOA that points to the 1.2.3.4 IP
address? This will force the client to contact the name server at 1.2.3.4
directly, avoiding the need for registration.

> The problems with this are:
> 
> * Privacy concerns regarding the initial DNS request to msf.metasploit.com 
> for the NS record of the attacker. Technically, this could violate a NDA 
> if used on a penetration test.

The domain name in the payload will be configurable, so you can set it to
myowndomain.com instead of msf.metasploit.com. If you are a pentester, you can
probably afford to run your own nameserver.

> * The framework console would need to bind to port 53 (r00t on unix) and 
> be accessible from the internet.

The same is true for all browser exploits in the framework.

> * It may not be that useful, but it does seem like a fun hack. With any 
> luck, this can be accomplished using the built-in name resolution API in 
> windows/unix/etc.

I think DNSAPI.DLL has all the functionality you need for the payload. Look at
WinDNS.h in the Platform SDK, specifically the DnsQuery() function. I just spent
an entire weekend reversing this dll, so I know it pretty well by now :-)

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/