Use custom resolver when creating the socket #71
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The custom DNS resolution rules are inconsistently applied. They are respected for the purpose of choosing a communication channel (
SwitchBoard::best_comm
), but then when it does the resolution itself, it ignores it. One place where this occurs is withinRex::Proto::Http::Client
. Settingrhost
to a domain name (instead of an IP) will initially figure out thecomm
by doing DNS resolution using Metasploit's custom DNS resolver; but then when it goes to actually do the request over thatcomm
channel, it eventually just callsSocket::pack_sockaddr_in
with ourrhost
domain name, which just uses the systemConcern
This fix may have issues with Socks proxies, in which case we shouldn't be doing our own resolution... but it looks like there's already a ticket for this (#70).
Reproduction Steps
The easiest way to observe the effect of this issue is with static rules:
dns reset-config
)dns remove -i 1
)dns add static
)dns flush-static
)dns flush-cache
google.com
to the wrong IP (dns add-static google.com 1.2.3.4
)irb
send_request_cgi({'rhost'=>'google.com','rport'=>80,'url'=>'/'})
nil
), since we overrode the IP using our custom DNS.For a more realistic scenario, set up a DNS server with a private DNS zone. My example is
*.sccm.lab
. Set up an HTTP server on a host within that DNS zone (mine ismecm.sccm.lab
) Ensure this DNS server is not used by the underlying OS for its DNS resolution (sodig validHost.private.zone
should fail, butdig @privateDnsServer validHost.private.zone
succeeds). There are probably ways to simplify the reproduction steps, but this is the use case I encountered the issue with.dns reset-config
)dns remove -i 1
)dns flush-static
)dns flush-cache
dns add --rule *.sccm.lab <privateDnsServer>
irb
send_request_cgi({'rhost'=>'mecm.sccm.lab','rport'=>80,'url'=>'/'})
rex-socket/lib/rex/socket.rb:306:in
pack_sockaddr_in': getaddrinfo: Name or service not known (SocketError)`). Following the fix, it should work.Now with static entries:
dns reset-config
)dns remove -i 1
)dns add static
)dns flush-static
)dns flush-cache
mecm.sccm.lab
to the correct IP (dns add-static mecm.sccm.lab <the IP>
)irb
send_request_cgi({'rhost'=>'mecm.sccm.lab','rport'=>80,'url'=>'/'})