Browse files

First commit

  • Loading branch information...
filetofirewall committed Aug 31, 2015
0 parents commit 7af3d0aca4102b422a3082931a736736186060b4
@@ -0,0 +1,107 @@
This is the Proof of Concept code to exploit the Filet-O-Firewall vulnerability.
The code is currently being cleaned up to be more easily digestable, but it is working at the moment.
The best browser to use for the PoC is Firefox, it works 99% of the time.
Google Chrome recently changed some of its behavior in regards to how it handles XMLHTTPRequest timing. Will have to do research to see how to fix this.
Infrastructure Setup
• We need a domain that we can become the authoritative name server for
• Ideally two separate static IP addresses
• An Apache Server with the code I will provide
• The PHP DNS server code that I will provide (or a DNS server that reads from Memcache)
• A Memcache server
• We need to make sure our web server responds on all the UPnP ports (since the port needs to also be the same to bypass CORS).
• When we do the DNS Multiple A Record switch (switching from our web server to the client’s gateway ip), the browser will simply switch the IP. It does not change the path or the port.
• It is key to have the page that we send them to (open.html) load all of its resources quickly and not depend on any resources from the randomly generated subdomain. Access to the webserver on that port will be cut off in order to force the browser to switch to the second A record we have in our DNS response.
DNS Server
• The default DNS records need to be setup in dns_record.json.
o Test.firefox needs to be specified with the public IP of the web server and the default gateway IP you would like to use in case the Memcache server is broken or too slow to respond (for some unknown reason)
o Test.sub needs to be changed to the secondary IP of the web server. This ensures connectivity can still happen during the DNS rebind attack.
• Run the DNS server by starting a screen session and running “php example.php”
Apps to install:
Files Guide:
php_inline.conf should go in Apache conf.d directory
apache_ports.conf should be used for Apache's ports.conf
php_dns_ubuntu_service can be used to register a service for the php dns server
apache_site.conf should be used as the Apache config file
server_settings.readme contains text that should be added to /etc/sudoers so php can modify iptables rules
/etc/phpdns for the PHP DNS server files
/var/www/html for the web server files
Wmain.html –
o Displays a loading gif and scans IP addresses of the user’s gateway for possible UPnP ports that are open. If none are found 80 is assumed as the UPnP port.
o Sets whether debug mode is on or off
o Generates random subdomain
o Determines user’s private IP address
o Redirects user to random subdomain and UPnP port
o Determines the user’s browser (may be needed for extra functionality later)
U0.php –
o Accepts the base64 encoded internal ip address of the gateway and calculates the subnet.
o Puts the information into memcache with the subdomain as the key.
o Can be set to exploit Weak End System Model by adding the public IP of the gateway instead of the internal IP of the gateway.
Wopen.html –
o Displays some content (usually a video)
o Loads script.js
o Accepts port in POST parameters and adds iptables rule blocking the port on the webserver to the IP address who made the request
o Accepts port in POST parameters and removes iptables rule blocking the port on the webserver to the IP address who made the request
o Returns the gateway and subnet for the requested subdomain
o Accepts POSTed information and stores it in a file in the testup directory
Worker.js –
o POSTs the port being actively used to C1.HTML (which will add the iptables rules to cut off access)
o Starts requesting possible XML files from the gateway (the browser automatically starts using the other IP address in the multiple A record when the original cannot be accessed)
o Asks for Gateway IP from i0.php
o Once XML is found, parses the controlURL property
o POSTs XML to the controlURL to open all ports specified in the script (e.g. 80, 443, 445, 22, etc.) for the gateway ip address and client’s ip address starting with external port 5800.
o POSTs opened port internal to external mapping to r0.php
o Loades open.js (web worker code) and spawns configured number of web workers
o Breaks up subnet based on number of web workers
Assigns work to web workers
Web workers contact gateway and open rest of internal network hosts on all configured ports
o Once finished POSTs full list of hosts and internal to external port mapping to r0.php
o POSTs port to c0.html to remove iptables rule.
o Finishes
Open.js -
Web worker code
PHP DNS Server Code from:
@@ -0,0 +1,28 @@
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
Listen 1780
Listen 1900
Listen 2189
Listen 2600
Listen 2869
Listen 2555
Listen 5555
Listen 37215
Listen 47128
Listen 49000
Listen 49152
Listen 49153
Listen 56688
<IfModule ssl_module>
Listen 443
<IfModule mod_gnutls.c>
Listen 443
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
@@ -0,0 +1,35 @@
<VirtualHost *:*>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
Header set Access-Control-Allow-Origin "*"
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
@@ -0,0 +1,73 @@
PHP DNS Server
This is an Authoritative DNS Server written in pure PHP.
It will listen to DNS request on the default port (Default: port 53) and give answers about any donamin that it has DNS records for.
This class can be used to give DNS responses dynamically based on your pre-existing PHP code.
Support Record Types
* A
* NS
* MX
PHP Requirements
* `PHP 5.3+`
* Needs either `sockets` or `socket_create` PHP extension loaded (which they are by default)
Here is an example of some DNS records
require "dns_server.class.php";
// dns records
$ds_records = array(
'' => array(
'A' => '',
'MX' => '',
'NS' => '',
'TXT' => 'Some text.'
'' => array(
// allow multiple records of same type
'A' => array(
// Creating a new instance of our class
$dns = new PHP_DNS_SERVER($ds_records);
// Starting our DNS server
And Here is us querying it and seeing the response
$ dig @ A +short
$ dig @ TXT +short
"Some text."
$ dig @ A +short
@@ -0,0 +1,9 @@
namespace StorageProvider;
abstract class AbstractStorageProvider {
abstract function get_answer($question);
Oops, something went wrong.

0 comments on commit 7af3d0a

Please sign in to comment.