- Authors: Haroon Meer, Marco Slaviero, Glenn Wilkonson (reDuhClient && JSP), Gert Burger (PHP), Ian de Villiers (ASPX)
- Cost: Free
- Source Code: GitHub
- Version : 0.3
- License : GPL
- Release Date : 2008/07/29
- Recent Changes : Fixed issues with PHP version and older versions of PHP
reDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.
reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially.
While the original documentation made heavy use of bad ASCII art we had to have prettier pics for the .ppt so here you go:
- Glenn has the ability to upload/create a JSP page on the remote server.
- Glenn wishes to make an RDP connection to the server
term-serv.victim.com(visible to the web-server behind the firewall).
- The firewall permits HTTP traffic to the web server but denies everything else.
- Glenn uploads
- Glenn runs
reDuhClienton his machine and points it to the page:
$ java reDuhClient ubuntoo.victim.com 80 /uploads/reDuh.jsp
- Glenn administers
reDuhClientby connecting to its management port (1010 by default).
- Once connected, Glenn types:
- Now Glenn launches his RDP client and aims it at
reDuh.jspwill happily shunt TCP until they are killed.
The system can handle multiple connections, so while RDP is running, we can use
the management connection (on port 1010) again, and request
[createTunnel]5555:sshd.victim.com:22. Glenn can now ssh to
port 5555 to access the sshd on
sshd.victim.com (while still running his RDP
- Behind the scenes,
reDuhClientstarts listening on 1234 and sends an HTTP message to
/uploads/reDuh.jspwhich opens a socket to
- Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP
requests and is sent to
- Any traffic from
term-serv.victim.com:3389to the JSP is placed in a queue and sent back to
reDuhClientwhen it requests it.
Disclaimer: The JSP version of reDuh is the most deployed/used/tested version. ASPX and PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools.