reDuh

reDuh was released as part of SensePost's BlackHat USA 2008 talk on tunnelling data in and out of networks.

reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page on a server, we can connect to hosts behind that server trivially.

Example scenario

While the original documentation made heavy use of bad ASCII art we had to have prettier pics for the .ppt so here you go:

  1. Glenn has the ability to upload/create a JSP page on the remote server.
  2. Glenn wishes to make an RDP connection to the server term-serv.victim.com (visible to the web-server behind the firewall).
  3. The firewall permits HTTP traffic to the web server but denies everything else. reDuh
  4. Glenn uploads reDuh.jsp to http://ubuntoo.victim.com/uploads/reDuh.jsp. reDuh
  5. Glenn runs reDuhClient on his machine and points it to the page: $ java reDuhClient ubuntoo.victim.com 80 /uploads/reDuh.jsp
  6. Glenn administers reDuhClient by connecting to its management port (1010 by default).
  7. Once connected, Glenn types: [createTunnel]1234:term-serv.victim.com:3389
  8. Now Glenn launches his RDP client and aims it at localhost:1234 reDuh reDuhClient and reDuh.jsp will happily shunt TCP until they are killed.

The system can handle multiple connections, so while RDP is running, we can use the management connection (on port 1010) again, and request [createTunnel]5555:sshd.victim.com:22. Glenn can now ssh to localhost on port 5555 to access the sshd on sshd.victim.com (while still running his RDP session).

  1. Behind the scenes, reDuhClient starts listening on 1234 and sends an HTTP message to /uploads/reDuh.jsp which opens a socket to term-serv.victim.com:3389.
  2. Any traffic sent to the local socket on 1234 is encoded, and wrapped in HTTP requests and is sent to /uploads/reDuh.jsp.
  3. Any traffic from term-serv.victim.com:3389 to the JSP is placed in a queue and sent back to reDuhClient when it requests it.

Disclaimer: The JSP version of reDuh is the most deployed/used/tested version. ASPX and PHP ports were done for completeness (but not extensively tested). Please let us know if you have any bug reports on any of these tools.