NEW (2020-03-30): New blog post investigating the impact of DoH on DNS rebinding attacks. TL;DR: DoH (DNS over HTTPS) has no effect on rebinding attacks and protections advertised by providers can be bypassed.
NEW! The WebRTC leak, which permitted to obtain the internal IP address of a target machine has been fixed in recent version of Google Chrome and Apple Safari. It still works on Firefox.
NEW! Check out our DEF CON 27 video and BSidesLV presentation at State of DNS Rebinding: Attack & Prevention Techniques and the Singularity of Origin
Singularity of Origin is a tool to perform DNS rebinding attacks.
It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
It also ships with sample payloads to exploit several vulnerable software versions, from the simple capture of a home page to performing remote code execution. It aims at providing a framework to facilitate the exploitation of software vulnerable to DNS rebinding attacks and to raise awareness on how they work and how to protect from them.
Detailed documentation is on the wiki pages.
Setting up Singularity requires a DNS domain name where you can edit your own DNS records for your domain and a Linux server to run it. Please see the setup singularity wiki page for detailed instructions.
The documentation is on the wiki pages. Here are a few pointers to start:
A test instance is available for demo purposes at http://rebind.it:8080/manager.html.
Singularity has been tested to work with the following browsers in optimal conditions in under 3 seconds:
|Browser||Operating System||Time to Exploit||Rebinding Strategy||Fetch Interval||Target Specification|
Singularity supports the following attack payloads:
simple-fetch-get.js): This sample payload makes a GET request to the root directory ('/') and shows the server response using the
fetchAPI. The goal of this payload is to function as example request to make additional contributions as easy as possible.
exposed-chrome-devtools.js): This payload demonstrates a remote code execution (RCE) vulnerability in Microsoft VS Code fixed in version 1.19.3. This payload can be adapted to exploit any software that exposes Chrome Dev Tools on
etcd.js): This payload retrieves the keys and values from the etcd key-value store.
pyethapp.js): Exploits the Python implementation of the Ethereum client Pyethapp to get the list of owned eth addresses and retrieve the balance of the first eth address.
rails-console-rce.js): Performs a remote code execution (RCE) attack on the Rails Web Console.
aws-metadata-exfil.js): Forces a headless browser to exfiltrate AWS metadata including private keys to a given host. Check the payload contents for additional details on how to setup the attack.
duplicati-rce.js): This payload exploits the Duplicati backup client and performs a remote code execution (RCE) attack. For this attack to work, parameter
payload-duplicati-rce.htmlmust be updated to point to a valid Duplicati backup containing the actual RCE payload, a shell script.
webpdb.js): A generic RCE payload to exploit
PDB, a python debugger exposed via websockets.
hook-and-control.js): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the "soohooked" sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup.
jenkins-script-console.js): This payload exploits the Jenkins Script Console and displays the stored credentials.
docker-api.js): This payload exploits the Docker API and displays the
/etc/shadowfile of the Docker host.