Setting up Singularity requires a DNS domain name where you can edit your own DNS records for your domain and a Linux server to run it. Please see the setup singularity wiki page for detailed instructions.
The documentation is on the wiki pages. Here are a few pointers to start:
A test instance is available for demo purposes at http://rebind.it:8080/manager.html.
Singularity has been tested to work with the following browsers in optimal conditions in under 3 seconds:
Browser | Operating System | Time to Exploit | Rebinding Strategy | Fetch Interval | Target Specification |
---|---|---|---|---|---|
Chrome | Windows 10 | ~3s | Multiple answers (fast) | 1s | 127.0.0.1 |
Edge | Windows 10 | ~3s | Multiple answers (fast) | 1s | 127.0.0.1 |
Firefox | Windows 10 | ~3s | Multiple answers (fast) | 1s | 127.0.0.1 |
Chromium | Ubuntu | ~3s | Multiple answers (fast) | 1s | 0.0.0.0 |
Firefox | Ubuntu | ~3s | Multiple answers (fast) | 1s | 0.0.0.0 |
Chrome | macOS | ~3s | Multiple answers (fast) | 1s | 0.0.0.0 |
Firefox | macOS | ~3s | Multiple answers (fast) | 1s | 0.0.0.0 |
Safari | macOS | ~3s | Multiple answers (fast) | 1s | 0.0.0.0 |
Singularity supports the following attack payloads:
simple-fetch-get.js
): This sample payload makes a GET request to the root directory (‘/’) and shows the server response using the fetch
API. The goal of this payload is to function as example request to make additional contributions as easy as possible.exposed-chrome-devtools.js
): This payload demonstrates a remote code execution (RCE) vulnerability in Microsoft VS Code fixed in version 1.19.3. This payload can be adapted to exploit any software that exposes Chrome Dev Tools on localhost
.etcd.js
): This payload retrieves the keys and values from the etcd key-value store.pyethapp.js
): Exploits the Python implementation of the Ethereum client Pyethapp to get the list of owned eth addresses and retrieve the balance of the first eth address.rails-console-rce.js
): Performs a remote code execution (RCE) attack on the Rails Web Console.aws-metadata-exfil.js
): Forces a headless browser to exfiltrate AWS metadata including private keys to a given host. Check the payload contents for additional details on how to setup the attack.duplicati-rce.js
): This payload exploits the Duplicati backup client and performs a remote code execution (RCE) attack. For this attack to work, parameter targetURL
in file payload-duplicati-rce.html
must be updated to point to a valid Duplicati backup containing the actual RCE payload, a shell script.webpdb.js
): A generic RCE payload to exploit PDB
, a python debugger exposed via websockets.hook-and-control.js
): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the “soohooked” sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup.jenkins-script-console.js
): This payload exploits the Jenkins Script Console and displays the stored credentials.docker-api.js
): This payload exploits the Docker API and displays the /etc/shadow
file of the Docker host.