Like the HINFO and MINFO RR's, TXT is vulnerable to RCE attacks and has
no purpose at the moment. TXT may be needed in the future (e.g. data
exfiltration) which is why it has been removed separately.
These RR's are very difficult to validate and, in their current state,
are vulnerable to RCE attacks. Furthermore, BeEF does not have a use for
these RR's.
Even though #print_more will display nothing since ''.split("\n").each()
iterates 0 times, it will still be called without this modifier which is
unnecessary.
Throw `UnknownDnsResourceError` instead of `InvalidDnsResourceError`
Prevents `[20:30:55][!] Internal error while adding DNS rule (uninitialized constant BeEF::Core::Models::Dns::Rule::InvalidDnsResourceError)` for invalid user supplied DNS response types.
'BeEF::Core::Models::Dns::Rule::InvalidDnsResourceError' does not exist, and it's unlikely we'll need to differentiate between invalid and unknown resource types.
This cleans up the API a bit by removing the requirement of placing #run
inside a Thread.new {EventMachine.next_tick {}} block. That should not
be the caller's responsibility.
Previously, upstream nameservers were configured by default even if the
config file did not specify them. Now upstream nameservers are only
used if they are specified. If none are given, then NXDOMAIN is
returned for unresolvable requests.
Even though it is unlikely that a user would remove these options from
the DNS config file, it is still good practice to have these safeguards
in place.
This is primarily intended to add clarity by reducing clutter. Moreover,
it also has the side effect of improving performance very slightly by
removing the overhead of calling #instance numerous times.
Many filter checks were removed because the new DNS extension performs
validation before performing any database operation.
Modified message for InvalidParamError to be more modular.
Uses BeEF::Filters to ensure that empty, null, and non-printable
patterns are tossed out. Added new InvalidDnsPatternError exception
class to handle these cases.
Renamed #validate_response to #format_callback since the name is more
appropriate.
Using parameterized methods is better structured coding style rather
than defining multiple similarly-behaved methods.
annex_region('crimea') # good
vs.
annex_crimea # bad
Perhaps the ugliest part of the DNS extension, it is also the most
crucial. This method ensures that a given resource and response are
appropriate for each other. It must also prevent RCE vulns since the
input is eval'd later on.
However, HINFO, MINFO, and especially TXT validation is not strict
enough. These three need to be reviewed scrupulously since a 100%
anti-RCE solution may prove to be difficult.
The DNS server now searches for matching rules and sends its response
when handling incoming requests. However, all rules are still assigned
the same callback for the moment.
Changed Logger overrides to disable logging instead of using BeEF's
print_* methods. RubyDNS logging is too verbose. The DNS extension will
perform debug logging on its own.
