Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 7af3d0a
Showing
25 changed files
with
1,792 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
|
|
||
|
|
||
|
|
||
| This is the Proof of Concept code to exploit the Filet-O-Firewall vulnerability. | ||
|
|
||
| The code is currently being cleaned up to be more easily digestable, but it is working at the moment. | ||
|
|
||
| The best browser to use for the PoC is Firefox, it works 99% of the time. | ||
|
|
||
| Google Chrome recently changed some of its behavior in regards to how it handles XMLHTTPRequest timing. Will have to do research to see how to fix this. | ||
|
|
||
|
|
||
| Infrastructure Setup | ||
| • We need a domain that we can become the authoritative name server for | ||
| • Ideally two separate static IP addresses | ||
| • An Apache Server with the code I will provide | ||
| • The PHP DNS server code that I will provide (or a DNS server that reads from Memcache) | ||
| • A Memcache server | ||
| • We need to make sure our web server responds on all the UPnP ports (since the port needs to also be the same to bypass CORS). | ||
| • When we do the DNS Multiple A Record switch (switching from our web server to the client’s gateway ip), the browser will simply switch the IP. It does not change the path or the port. | ||
| • It is key to have the page that we send them to (open.html) load all of its resources quickly and not depend on any resources from the randomly generated subdomain. Access to the webserver on that port will be cut off in order to force the browser to switch to the second A record we have in our DNS response. | ||
|
|
||
| DNS Server | ||
| • The default DNS records need to be setup in dns_record.json. | ||
| o Test.firefox needs to be specified with the public IP of the web server and the default gateway IP you would like to use in case the Memcache server is broken or too slow to respond (for some unknown reason) | ||
| o Test.sub needs to be changed to the secondary IP of the web server. This ensures connectivity can still happen during the DNS rebind attack. | ||
| • Run the DNS server by starting a screen session and running “php example.php” | ||
|
|
||
|
|
||
|
|
||
| Apps to install: | ||
|
|
||
| Apache | ||
| PHP | ||
| Memcache | ||
|
|
||
|
|
||
|
|
||
| Files Guide: | ||
|
|
||
| php_inline.conf should go in Apache conf.d directory | ||
|
|
||
| apache_ports.conf should be used for Apache's ports.conf | ||
|
|
||
| php_dns_ubuntu_service can be used to register a service for the php dns server | ||
|
|
||
| apache_site.conf should be used as the Apache config file | ||
|
|
||
|
|
||
| server_settings.readme contains text that should be added to /etc/sudoers so php can modify iptables rules | ||
|
|
||
|
|
||
| /etc/phpdns for the PHP DNS server files | ||
|
|
||
| /var/www/html for the web server files | ||
|
|
||
|
|
||
|
|
||
|
|
||
| Wmain.html – | ||
| o Displays a loading gif and scans IP addresses of the user’s gateway for possible UPnP ports that are open. If none are found 80 is assumed as the UPnP port. | ||
| o Sets whether debug mode is on or off | ||
| o Generates random subdomain | ||
| o Determines user’s private IP address | ||
| o Redirects user to random subdomain and UPnP port | ||
| o Determines the user’s browser (may be needed for extra functionality later) | ||
| U0.php – | ||
| o Accepts the base64 encoded internal ip address of the gateway and calculates the subnet. | ||
| o Puts the information into memcache with the subdomain as the key. | ||
| o Can be set to exploit Weak End System Model by adding the public IP of the gateway instead of the internal IP of the gateway. | ||
| Wopen.html – | ||
| o Displays some content (usually a video) | ||
| o Loads script.js | ||
| C1.html | ||
| o Accepts port in POST parameters and adds iptables rule blocking the port on the webserver to the IP address who made the request | ||
| C0.html | ||
| o Accepts port in POST parameters and removes iptables rule blocking the port on the webserver to the IP address who made the request | ||
| I0.php | ||
| o Returns the gateway and subnet for the requested subdomain | ||
| R0.php | ||
| o Accepts POSTed information and stores it in a file in the testup directory | ||
| Worker.js – | ||
| o POSTs the port being actively used to C1.HTML (which will add the iptables rules to cut off access) | ||
| o Starts requesting possible XML files from the gateway (the browser automatically starts using the other IP address in the multiple A record when the original cannot be accessed) | ||
| o Asks for Gateway IP from i0.php | ||
| o Once XML is found, parses the controlURL property | ||
| o POSTs XML to the controlURL to open all ports specified in the script (e.g. 80, 443, 445, 22, etc.) for the gateway ip address and client’s ip address starting with external port 5800. | ||
| o POSTs opened port internal to external mapping to r0.php | ||
| o Loades open.js (web worker code) and spawns configured number of web workers | ||
| o Breaks up subnet based on number of web workers | ||
| Assigns work to web workers | ||
| Web workers contact gateway and open rest of internal network hosts on all configured ports | ||
| o Once finished POSTs full list of hosts and internal to external port mapping to r0.php | ||
| o POSTs port to c0.html to remove iptables rule. | ||
| o Finishes | ||
|
|
||
|
|
||
| Open.js - | ||
| Web worker code | ||
|
|
||
|
|
||
|
|
||
| PHP DNS Server Code from: https://github.com/yswery/PHP-DNS-SERVER | ||
|
|
||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| # If you just change the port or add more ports here, you will likely also | ||
| # have to change the VirtualHost statement in | ||
| # /etc/apache2/sites-enabled/000-default.conf | ||
|
|
||
| Listen 80 | ||
| Listen 1780 | ||
| Listen 1900 | ||
| Listen 2189 | ||
| Listen 2600 | ||
| Listen 2869 | ||
| Listen 2555 | ||
| Listen 5555 | ||
| Listen 37215 | ||
| Listen 47128 | ||
| Listen 49000 | ||
| Listen 49152 | ||
| Listen 49153 | ||
| Listen 56688 | ||
|
|
||
| <IfModule ssl_module> | ||
| Listen 443 | ||
| </IfModule> | ||
|
|
||
| <IfModule mod_gnutls.c> | ||
| Listen 443 | ||
| </IfModule> | ||
|
|
||
| # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| <VirtualHost *:*> | ||
| # The ServerName directive sets the request scheme, hostname and port that | ||
| # the server uses to identify itself. This is used when creating | ||
| # redirection URLs. In the context of virtual hosts, the ServerName | ||
| # specifies what hostname must appear in the request's Host: header to | ||
| # match this virtual host. For the default virtual host (this file) this | ||
| # value is not decisive as it is used as a last resort host regardless. | ||
| # However, you must set it for any further virtual host explicitly. | ||
| #ServerName www.example.com | ||
|
|
||
| ServerAdmin webmaster@localhost | ||
| DocumentRoot /var/www/html | ||
|
|
||
| # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, | ||
| # error, crit, alert, emerg. | ||
| # It is also possible to configure the loglevel for particular | ||
| # modules, e.g. | ||
| #LogLevel info ssl:warn | ||
|
|
||
| ErrorLog ${APACHE_LOG_DIR}/error.log | ||
| CustomLog ${APACHE_LOG_DIR}/access.log combined | ||
|
|
||
| # For most configuration files from conf-available/, which are | ||
| # enabled or disabled at a global level, it is possible to | ||
| # include a line for only one particular virtual host. For example the | ||
| # following line enables the CGI configuration for this host only | ||
| # after it has been globally disabled with "a2disconf". | ||
| #Include conf-available/serve-cgi-bin.conf | ||
| Header set Access-Control-Allow-Origin "*" | ||
| Header set Cache-Control "no-cache, no-store, must-revalidate" | ||
| Header set Pragma "no-cache" | ||
| Header set Expires 0 | ||
| </VirtualHost> | ||
|
|
||
| # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| PHP DNS Server | ||
| ============== | ||
|
|
||
| This is an Authoritative DNS Server written in pure PHP. | ||
| It will listen to DNS request on the default port (Default: port 53) and give answers about any donamin that it has DNS records for. | ||
| This class can be used to give DNS responses dynamically based on your pre-existing PHP code. | ||
|
|
||
| Support Record Types | ||
| ==================== | ||
|
|
||
| * A | ||
| * NS | ||
| * CNAME | ||
| * SOA | ||
| * PTR | ||
| * MX | ||
| * TXT | ||
| * AAAA | ||
| * OPT | ||
| * AXFR | ||
| * ANY | ||
|
|
||
| PHP Requirements | ||
| ================ | ||
|
|
||
| * `PHP 5.3+` | ||
| * Needs either `sockets` or `socket_create` PHP extension loaded (which they are by default) | ||
|
|
||
| Example: | ||
| ======== | ||
| Here is an example of some DNS records | ||
| ``` | ||
| <? | ||
| require "dns_server.class.php"; | ||
| // dns records | ||
| $ds_records = array( | ||
| 'test.com' => array( | ||
| 'A' => '111.111.111.111', | ||
| 'MX' => '112.112.112.112', | ||
| 'NS' => 'ns1.test.com', | ||
| 'TXT' => 'Some text.' | ||
| ), | ||
| 'test2.com' => array( | ||
| // allow multiple records of same type | ||
| 'A' => array( | ||
| '111.111.111.111', | ||
| '112.112.112.112' | ||
| ) | ||
| ) | ||
| ); | ||
| // Creating a new instance of our class | ||
| $dns = new PHP_DNS_SERVER($ds_records); | ||
| // Starting our DNS server | ||
| $dns->start(); | ||
| ``` | ||
|
|
||
| And Here is us querying it and seeing the response | ||
| ``` | ||
| $ dig @127.0.0.1 test.com A +short | ||
| 111.111.111.111 | ||
| $ dig @127.0.0.1 test.com TXT +short | ||
| "Some text." | ||
| $ dig @127.0.0.1 test2.com A +short | ||
| 111.111.111.111 | ||
| 112.112.112.112 | ||
| ``` | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| <?php | ||
|
|
||
| namespace StorageProvider; | ||
|
|
||
| abstract class AbstractStorageProvider { | ||
|
|
||
| abstract function get_answer($question); | ||
|
|
||
| } |
Oops, something went wrong.