singularity

package module
v0.0.0-...-4fdbbb8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 11, 2024 License: MIT Imports: 30 Imported by: 0

README

Singularity of Origin

Recent updates:

Singularity of Origin is a tool to perform DNS rebinding attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.

It also ships with sample payloads to exploit several vulnerable software versions, from the simple capture of a home page to performing remote code execution. It aims at providing a framework to facilitate the exploitation of software vulnerable to DNS rebinding attacks and to raise awareness on how they work and how to protect from them.

Detailed documentation is on the wiki pages.

Core Features

  • Singularity provides a complete DNS rebinding attack delivery stack:
    • Custom DNS server to rebind DNS name and IP address
    • HTTP server (manager web interface) to serve HTML pages and JavaScript code to targets and to manage the attacks
    • Several sample attack payloads, ranging from grabbing the home page of a target application to performing remote code execution. These payloads can be easily adapted to perform new and custom attacks.
    • Supports DNS CNAME values in target specification in addition to IP addresses to evade DNS filtering solutions or to target internal resources for which the IP address is unknown.
  • A simple, fast and efficient HTTP port scanner to identify vulnerable services.
  • Attack automation allows to completely automate the scanning and exploitation of vulnerable services on a network.
  • Hook and Control permits using victim web browsers as HTTP proxies to access internal network resources, to interactively explore and exploit otherwise inaccessible applications with your own browser.
Singularity Manager Interface

Singularity Manager Interface

Hook and Control a Vulnerable Application on Localhost or Other Hosts

Fetch an application home page

Automate the Scan and Compromise of All Vulnerables Applications

Fetch an application home page

Usage

Setting up Singularity requires a DNS domain name where you can edit your own DNS records for your domain and a Linux server to run it. Please see the setup singularity wiki page for detailed instructions.

The documentation is on the wiki pages. Here are a few pointers to start:

A test instance is available for demo purposes at http://rebind.it:8080/manager.html.

Speed

Singularity has been tested to work with the following browsers in optimal conditions in under 3 seconds:

Browser Operating System Time to Exploit Rebinding Strategy Fetch Interval Target Specification
Chrome Windows 10 ~3s Multiple answers (fast) 1s 127.0.0.1
Edge Windows 10 ~3s Multiple answers (fast) 1s 127.0.0.1
Firefox Windows 10 ~3s Multiple answers (fast) 1s 127.0.0.1
Chromium Ubuntu ~3s Multiple answers (fast) 1s 0.0.0.0
Firefox Ubuntu ~3s Multiple answers (fast) 1s 0.0.0.0
Chrome macOS ~3s Multiple answers (fast) 1s 0.0.0.0
Firefox macOS ~3s Multiple answers (fast) 1s 0.0.0.0
Safari macOS ~3s Multiple answers (fast) 1s 0.0.0.0
Payloads Description

Singularity supports the following attack payloads:

  • Basic fetch request (simple-fetch-get.js): This sample payload makes a GET request to the root directory ('/') and shows the server response using the fetch API. The goal of this payload is to function as example request to make additional contributions as easy as possible.
  • automatic: This payload automatically attempts to detect known services and exploit them using other payloads listed in this section or that were developed and added to Singularity by users.
  • Chrome DevTools RCE (exposed-chrome-devtools.js): This payload demonstrates a remote code execution (RCE) vulnerability in Microsoft VS Code fixed in version 1.19.3. This payload can be adapted to exploit any software that exposes Chrome Dev Tools on localhost.
  • Etcd k/v dump (etcd.js): This payload retrieves the keys and values from the etcd key-value store.
  • pyethapp (pyethapp.js): Exploits the Python implementation of the Ethereum client Pyethapp to get the list of owned eth addresses and retrieve the balance of the first eth address.
  • Rails Console RCE (rails-console-rce.js): Performs a remote code execution (RCE) attack on the Rails Web Console.
  • AWS Metadata Exfil (aws-metadata-exfil.js): Forces a headless browser to exfiltrate AWS metadata including private keys to a given host. Check the payload contents for additional details on how to setup the attack.
  • Duplicati RCE (duplicati-rce.js): This payload exploits the Duplicati backup client and performs a remote code execution (RCE) attack. For this attack to work, parameter targetURL in file payload-duplicati-rce.html must be updated to point to a valid Duplicati backup containing the actual RCE payload, a shell script.
  • WebPDB (webpdb.js): A generic RCE payload to exploit PDB, a python debugger exposed via websockets.
  • Hook and Control (hook-and-control.js): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the "soohooked" sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup.
  • Jenkins Script Console (jenkins-script-console.js): This payload exploits the Jenkins Script Console and displays the stored credentials.
  • Docker API (docker-api.js): This payload exploits the Docker API and displays the /etc/shadow file of the Docker host.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var DNSRebindingStrategy = map[string]func(session string, dcss *DNSClientStateStore, q dns.Question) []string{
	"rr": DNSRebindFromQueryRoundRobin,
	"fs": DNSRebindFromQueryFirstThenSecond,
	"rd": DNSRebindFromQueryRandom,
	"ma": DNSRebindFromQueryMultiA,
}

DNSRebindingStrategy maps a DNS Rebinding strategy name to a function

Functions

func Auth 

func Auth(r *http.Request) (AuthToken string, ok bool)

Auth validates the authentication token

func DNSRebindFromQueryFirstThenSecond 

func DNSRebindFromQueryFirstThenSecond(session string, dcss *DNSClientStateStore, q dns.Question) []string

DNSRebindFromQueryFirstThenSecond is a response handler to DNS queries It extracts the hosts in the DNS query string It first returns the first host once in the DNS query string then the second host in all subsequent queries for a period of time timeout.

func DNSRebindFromQueryMultiA 

func DNSRebindFromQueryMultiA(session string, dcss *DNSClientStateStore, q dns.Question) []string

DNSRebindFromQueryMultiA s a response handler to DNS queries It extracts the two hosts in the DNS query string then returns the extracted hosts as multiple DNS A records

func DNSRebindFromQueryRandom 

func DNSRebindFromQueryRandom(session string, dcss *DNSClientStateStore, q dns.Question) []string

DNSRebindFromQueryRandom is a response handler to DNS queries It extracts the two hosts in the DNS query string then returns either extracted hosts randomly

func DNSRebindFromQueryRoundRobin 

func DNSRebindFromQueryRoundRobin(session string, dcss *DNSClientStateStore, q dns.Question) []string

DNSRebindFromQueryRoundRobin is a response handler to DNS queries It extracts the two hosts in the DNS query string then returns the extracted hosts in a round robin fashion

func GenerateRandomString 

func GenerateRandomString() (string, error)

GenerateRandomString returns a secure random hexstring, 20 chars long

func MakeRebindDNSHandler 

func MakeRebindDNSHandler(appConfig *AppConfig, dcss *DNSClientStateStore) dns.HandlerFunc

MakeRebindDNSHandler generates a DNS request handler based on app settings. This is the core DNS queries handling loop

func NewHTTPProxyServer 

func NewHTTPProxyServer(port int, dcss *DNSClientStateStore,

	wscss *WebsocketClientStateStore, hss *HTTPServerStoreHandler) *http.Server

NewHTTPProxyServer starts a new HTTP proxy server

func NewHTTPServer 

func NewHTTPServer(port int, hss *HTTPServerStoreHandler, dcss *DNSClientStateStore,
	wscss *WebsocketClientStateStore) *http.Server

NewHTTPServer configures a HTTP server

func StartHTTPProxyServer 

func StartHTTPProxyServer(s *http.Server) error

StartHTTPProxyServer starts an HTTP reverse proxy server to target clients

func StartHTTPServer 

func StartHTTPServer(s *http.Server, hss *HTTPServerStoreHandler, dynamic bool, tproxy bool) error

StartHTTPServer starts an HTTP server and adds it to dynamic (if dynamic is true) or static HTTP Store

func StopHTTPServer 

func StopHTTPServer(s *http.Server, hss *HTTPServerStoreHandler)

StopHTTPServer stops an HTTP server

Types

type AppConfig 

type AppConfig struct {
	HTTPServerPorts              []int
	ResponseIPAddr               string
	ResponseReboundIPAddr        string
	RebindingFn                  func(session string, dcss *DNSClientStateStore, q dns.Question) []string
	RebindingFnName              string
	ResponseReboundIPAddrtimeOut int
	AllowDynamicHTTPServers      bool
	DNSServerBindAddr            string
	WsHTTPProxyServerPort        int
	EnableLinuxTProxySupport     bool
}

AppConfig stores running parameter of singularity server.

type AuthHandler 

type AuthHandler struct {
	NextHandler http.Handler
}

AuthHandler is an HTTP header token authentication handler

func (*AuthHandler) ServeHTTP 

func (ah *AuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type DNSClientState 

type DNSClientState struct {
	FirstQueryTime               time.Time
	LastQueryTime                time.Time
	CurrentQueryTime             time.Time
	ResponseIPAddr               string
	ResponseReboundIPAddr        string
	LastResponseReboundIPAddr    int
	ResponseReboundIPAddrtimeOut int
	FirewalledOnce               bool
}

DNSClientState holds the current rebinding state of client.

type DNSClientStateStore 

type DNSClientStateStore struct {
	sync.RWMutex
	Sessions map[string]*DNSClientState
}

DNSClientStateStore stores DNS sessions It permits to respond to multiple clients based on their current DNS rebinding state. Must use RO or RW mutex to access.

func (*DNSClientStateStore) ExpireOldEntries 

func (dcss *DNSClientStateStore) ExpireOldEntries(duration time.Duration)

ExpireOldEntries expire DNS Client Sessions that existed longer than duration Old entries are expire at a provided interval Someone could possibly fill memory before old entries are expired

type DNSQuery 

type DNSQuery struct {
	ResponseIPAddr        string
	ResponseReboundIPAddr string
	Session               string
	DNSRebindingStrategy  string
	Domain                string
}

DNSQuery is a convenience structure to hold the parsed DNS query of a client.

func NewDNSQuery 

func NewDNSQuery(qname string) (*DNSQuery, error)

NewDNSQuery parses DNS query string and returns a DNSQuery structure. "-" is used a field delimitor in query string if target contains a CNAME instead of an IP address and if CNAME includes any "-", then each of these "-" must be escaped with another "-"

type DefaultHeadersHandler 

type DefaultHeadersHandler struct {
	NextHandler http.Handler
}

DefaultHeadersHandler is a HTTP handler that adds default headers to responses for all routes

func (*DefaultHeadersHandler) ServeHTTP 

func (d *DefaultHeadersHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type DelayDOMLoadHandler 

type DelayDOMLoadHandler struct{}

DelayDOMLoadHandler is a HTTP handler that forces browsers to wait for more data thus delaying DOM load event.

func (*DelayDOMLoadHandler) ServeHTTP 

func (h *DelayDOMLoadHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type HTTPClientInfoHandler 

type HTTPClientInfoHandler struct {
	IPAddress string
	Port      string
}

HTTPClientInfoHandler is a HTTP handler to provide HTTP client information including IP address to HTTP cllients

func (*HTTPClientInfoHandler) ServeHTTP 

func (hcih *HTTPClientInfoHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

HTTP Handler for "/clientinfo"

type HTTPServerError 

type HTTPServerError struct {
	Err  error
	Port string
}

HTTPServerError is used to report issues with an HTTP instance when started or closed

type HTTPServerStoreHandler 

type HTTPServerStoreHandler struct {
	Errc                    chan HTTPServerError // communicates http server errors
	AllowDynamicHTTPServers bool
	sync.RWMutex
	DynamicServers        []*http.Server
	StaticServers         []*http.Server
	Dcss                  *DNSClientStateStore
	Wscss                 *WebsocketClientStateStore
	WsHTTPProxyServerPort int
	AuthToken             string
}

HTTPServerStoreHandler holds the list of HTTP servers Many servers at startup and one (1) dynamically instantianted server Access to the servers list must be performed via mutex

func (*HTTPServerStoreHandler) ServeHTTP 

func (hss *HTTPServerStoreHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

HTTP Handler for /servers

type HTTPServersConfig 

type HTTPServersConfig struct {
	ServerInformation       []httpServerInfo
	AllowDynamicHTTPServers bool
}

HTTPServersConfig is a stucture that is returned to JS client to inform about Singularity HTTP ports and whether dynamic HTTP server allocation is allowed

type IPTablesHandler 

type IPTablesHandler struct {
}

IPTablesHandler is a HTTP handler that adds/removes iptables rules if the DNS rebinding strategy is to respond with multiple A records.

func (*IPTablesHandler) ServeHTTP 

func (ipt *IPTablesHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type IPTablesRule 

type IPTablesRule struct {
	// contains filtered or unexported fields
}

IPTablesRule is a struct representing a linux iptable firewall rule

func NewIPTableRule 

func NewIPTableRule(srcAddr string, srcPort string,
	dstAddr string, dstPort string) *IPTablesRule

NewIPTableRule populate an iptables rule

func (*IPTablesRule) AddRule 

func (ipt *IPTablesRule) AddRule()

AddRule adds an iptables rule in Linux iptable

func (*IPTablesRule) RemoveRule 

func (ipt *IPTablesRule) RemoveRule()

RemoveRule removes an iptables rule in Linux iptable

type LoginHandler 

type LoginHandler struct {
	AuthToken string
}

LoginHandler is an HTTP login handler for proxy functions

func (*LoginHandler) ServeHTTP 

func (lh *LoginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type PayloadTemplateHandler 

type PayloadTemplateHandler struct {
}

PayloadTemplateHandler is a HTTP handler to deliver payloads to HTTP clients

func (*PayloadTemplateHandler) ServeHTTP 

func (pth *PayloadTemplateHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

HTTP Handler for "/soopayload"

type ProxyHandler 

type ProxyHandler struct {
	Wscss *WebsocketClientStateStore
	Dcss  *DNSClientStateStore
}

ProxyHandler is an HTTP proxy for an attacker to interact with hijacked JavaScript Clients

func (*ProxyHandler) ServeHTTP 

func (p *ProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

type ProxytoWebsocketTransport 

type ProxytoWebsocketTransport struct {
	WSClient *WSClient
}

ProxytoWebsocketTransport is a custom transport to bridge Singularity reverse proxy and target via websockets

func (*ProxytoWebsocketTransport) RoundTrip 

func (t *ProxytoWebsocketTransport) RoundTrip(req *http.Request) (*http.Response, error)

RoundTrip is a custom RoundTrip implementation for reverse proxy to websocket

type WSCall 

type WSCall struct {
	Req   fetchRequest
	Res   fetchResponse
	Done  chan bool
	Error error
}

WSCall is an active Web Socket Request

type WSClient 

type WSClient struct {
	// contains filtered or unexported fields
}

WSClient is a Websocket client used by Singularity to channel reverse proxy requests to target via websockets.

func NewWSClient 

func NewWSClient() *WSClient

NewWSClient return a new websockets client

func (*WSClient) Request 

func (c *WSClient) Request(op *websocketOperation) (interface{}, error)

Request is a method to send fetch request to the browser via websockets

type WebsocketClientState 

type WebsocketClientState struct {
	LastSeenTime time.Time
	Host         string
	WSClient     *WSClient
}

WebsocketClientState maintains information about a target hooked via websockets

type WebsocketClientStateStore 

type WebsocketClientStateStore struct {
	sync.RWMutex
	Sessions map[string]*WebsocketClientState
}

WebsocketClientStateStore keeps track of all targets hooked via websockets

type WebsocketHandler 

type WebsocketHandler struct {
	// contains filtered or unexported fields
}

WebsocketHandler is an WS endpoint for an attacker to interact with hijacked JavaScript Clients

func (*WebsocketHandler) ServeHTTP 

func (ws *WebsocketHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

Source Files

View all Source files

Directories

Path Synopsis
cmd
singularity-server

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.