Search the Community

Singularity of Origin DNS Rebinding Attack Framework. NEW! Check out our DEF CON 27 and BSIDESLV presentation at [Hidden Content] Singularity of Origin is a tool to perform [Hidden Content] attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine. It also ships with sample payloads to exploit several vulnerable software versions, from the simple capture of a home page to performing remote code execution. It aims at providing a framework to facilitate the exploitation of software vulnerable to DNS rebinding attacks and to raise awareness on how they work and how to protect from them. Detailed documentation is on the [Hidden Content] Core Features Singularity provides a complete DNS rebinding attack delivery stack: Custom DNS server to rebind DNS name and IP address HTTP server (manager web interface) to serve HTML pages and JavaScript code to targets and to manage the attacks Several sample attack payloads, ranging from grabbing the home page of a target application to performing remote code execution. These payloads can be easily adapted to perform new and custom attacks. Supports DNS CNAME values in target specification in addition to IP addresses to evade DNS filtering solutions or to target internal resources for which the IP address is unknown. A simple, fast and efficient HTTP port scanner to identify vulnerable services. Attack automation allows to completely automate the scanning and exploitation of vulnerable services on a network. Hook and Control permits using victim web browsers as HTTP proxies to access internal network resources, to interactively explore and exploit otherwise inaccessible applications with your own browser. Usage Setting up Singularity requires a DNS domain name where you can edit your own DNS records for your domain and a Linux server to run it. Please see the [Hidden Content] wiki page for detailed instructions. The documentation is on the [Hidden Content]. Here are a few pointers to start:[Hidden Content] A test instance is available for demo purposes at [Hidden Content] to get the list of owned eth addresses and retrieve the balance of the first eth address. Rails Console RCE (rails-console-rce.js) Performs a remote code execution (RCE) attack on the [Hidden Content] AWS Metadata Exfil (aws-metadata-exfil.js) Forces a headless browser to exfiltrate AWS metadata including private keys to a given host. Check the payload contents for additional details on how to setup the attack. Duplicati RCE (duplicati-rce.js) This payload exploits the Duplicati backup client and performs a remote code execution (RCE) attack. For this attack to work, parameter targetURL in file payload-duplicati-rce.html must be updated to point to a valid Duplicati backup containing the actual RCE payload, a shell script. WebPDB (webpdb.js) A generic RCE payload to exploit PDB, a python debugger exposed via websockets. Hook and Control (hook-and-control.js) Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the "soohooked" sub-domain of the Singularity manager host on port 3129 by default e.g. [Hidden Content] and displays the stored credentials. Docker API (docker-api.js) This payload exploits the [Hidden Content] and displays the /etc/shadow file of the Docker host. Source & Download [hide][Hidden Content]]