reDuh
- Authors: Haroon Meer, Marco Slaviero, Glenn Wilkonson (reDuhClient && JSP), Gert Burger (PHP), Ian de Villiers (ASPX)
- Cost: Free
- Source Code:
- Version : 0.3
- License : GPL
- Release Date : 2008/07/29
- Recent Changes : Fixed issues with PHP version and older versions of PHP
reDuh was released as part of on tunnelling data in and out of networks.
reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially.
Example scenario
While the original documentation made heavy use of bad ASCII art we had to have prettier pics for the .ppt so here you go:
- Glenn has the ability to upload/create a JSP page on the remote server.
- Glenn wishes to make an RDP connection to the server
term-serv.victim.com
(visible to the web-server behind the firewall). - The firewall permits HTTP traffic to the web server but denies everything else.
- Glenn uploads
reDuh.jsp
tohttp://ubuntoo.victim.com/uploads/reDuh.jsp
. - Glenn runs
reDuhClient
on his machine and points it to the page:$ java reDuhClient ubuntoo.victim.com 80 /uploads/reDuh.jsp
- Glenn administers
reDuhClient
by connecting to its management port (1010 by default). - Once connected, Glenn types:
[createTunnel]1234:term-serv.victim.com:3389
- Now Glenn launches his RDP client and aims it at
localhost:1234
reDuhClient
andreDuh.jsp
will happily shunt TCP until they are killed.
The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]5555:sshd.victim.com:22
. Glenn can now ssh to localhost
on port 5555 to access the sshd on sshd.victim.com
(while still running his RDP session).
- Behind the scenes,
reDuhClient
starts listening on 1234 and sends an HTTP message to/uploads/reDuh.jsp
which opens a socket toterm-serv.victim.com:3389
. - Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to
/uploads/reDuh.jsp
. - Any traffic from
term-serv.victim.com:3389
to the JSP is placed in a queue and sent back toreDuhClient
when it requests it.
Disclaimer: The JSP version of reDuh is the most deployed/used/tested version. ASPX and PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools.