SoylentNews is people
SoylentNews
Submission Preview
Running DOOM Over DNS Queries
Can it Resolve DOOM? Game Engine in 2,000 DNS Records [blog.rice.is]:
If you've ever poked at one of my CTF challenges, you've probably noticed a pattern - I love hiding payloads in TXT DNS records. I stash the malicious code in a TXT record, have the implant query for it at runtime, and now suddenly the payload is being delivered by the same infrastructure that resolves grandmas-cookie-recipes.com. It's trivially easy to set up and surprisingly annoying to catch forensically, because who's flagging the historic contents of TXT records?
I've always suspected the technique could go further than staging shellcode. TXT records are just arbitrary text fields with no validation. If you can store a payload, you can store a file. If you can store a file, you can store a program. And if you can store a program... well, it can probably run DOOM.
[...] The universal benchmark for "can this thing do something it was never designed to do?" is, always has been, and always will be DOOM. Thermostats run DOOM, pregnancy tests run DOOM, and I want DNS to run DOOM.
The idea is to fetch the entire game engine and its assets from DNS TXT records, load everything into memory, and run it. No downloads, no installers, and no files written to disk. My goal is to load the game into memory entirely through public DNS queries.
While researching this, I knew I needed to use a DOOM port written in a language that could be reflected into memory in Windows. I knew C# is used frequently by threat actors for this, but I don't know C# and wasn't about to rewrite the DOOM source myself, so that's where I started looking.
I found managed-doom, a pure C# port of the original DOOM engine. Managed .NET assemblies can be loaded from raw bytes in memory, so no files need to exist on the filesystem. In theory, this meant I could fetch the game's compiled code from DNS and execute it without ever touching the disk.
[...] And it works. DOOM is stored, launched, and running from DNS records.
[...] DNS is almost 45 years old and it was designed to map hostnames to IP addresses. It is not a file storage system. It was not designed to be a file storage system. Nobody at the IETF was thinking about it being used as a file storage system when they wrote RFC 1035.
Yet here we are. The most boring protocol on the internet is also, quietly, one of the most abusable.
[...] The full source for this project is available on GitHub [github.com].
