RageLtMan
2f0003b5bd
Built atop the Rex::Proto::DNS work to implement mixins for client and server functionality, providing common interfaces for querying domain name servers, and providing domain name services to clients across Rex sockets. Fully functional native DNS server module is included to demonstrate functionality, serve as a spoofing DNS server, a collecting proxy, or any other number of DNS functions. ----- At the core of this work is a Rex::Proto::DNS::Resolver object descended from Net::DNS::Resolver with overrides and alterations for using Rex sockets. The sockets implementation has been in use internally for a number of years and is well tested. Changes have been made to provider better interface for higher level components. The resolver provides forward lookup capability for the server (Rex::Proto::DNS::Server) which also implements a self-pruning Cache subclass capable of holding static entries. The server can operate in TCP or UDP mode, and provides a common abstraction for addressing TCP and UDP clients by passing a Rex::Socket::Udp mock client around with the data object to higher level consumers. Finally, as is standard practice when building full service objects from Rex to Msf, the server allows consumers to efficiently take execution control at the request and response handlers by passing Procs into the constructor (or manually assigning at runtime) for execution instead of the default call chain. The service, lookup, and caching functionality is encapsulated and stands on its own to be used by consumers other than the standard Msf::Exploit::Remote namespaces. It is intended to serve as the driver and transport handler for pending DNS tunnel transports, and can be used by exploit and auxiliary modules directly. ----- The Msf::Exploit::Remote namespace receives DNS, DNS::Client, and DNS::Server mixins providing common interfaces for Rex::Proto::DNS objects. These mixins create convenience methods for executing queries, serving requests, and configuring the Rex providers. DNS::Client mixin attempts to "intelligently" configure the client resolver's name servers and options from the data store. Accessor, query, and configuration methods are provided in this mixin. Of note are the wildcard and switchdns methods which were adapted from prior work by others (likely Carlos Perez) which can be used by numerous consumer modules. Consumers should use setup_client during their run call to ensure the resolver is appropriately configured. DNS::Server mixin creates common service wrappers for modules to utilize along with a configuration mechanism analagous to the one used by the Client mixin, called setup_server, and calling the setup_client method if present. Note that when setup_server is called, the consumer does not need to call setup_resolver. ------ At the framework module level, a native dns server is provided to showcase the mixin functionality and provide everything from normal DNS services, to tunneling proxies (with cache disabled), spoofing services, and MITM functionality via the handler Procs for requests and responses. Use auxiliary/server/dns/native_server to get started. ----- Testing: Basic local testing completed. Needs to be checked for info leaks - we used to leak a lot. Needs to be checked for functionality under varying configs. Notes: We have a serious problem with the datastore somewhere in the Msf namespace. Datastore options must be validated with options.validate(datastore) or they are all Strings, which completely destroys any type-dependent logic consuming datastore values. This must be addressed separately and all calls to options.validate(datastore) should be removed (other work has included such calls as well, this just proved that the problem exists upstream). Future work: Implement sessions transports atop the DNS infrastructure in order to provide native DNS tunneling.