Setting up Singularity requires a DNS domain name where you can edit your own DNS records for your domain and a Linux server to run it. Please see the setup singularity wiki page for detailed instructions.
The documentation is on the wiki pages. Here are a few pointers to start:
A test instance is available for demo purposes at http://rebind.it:8080/manager.html.
Singularity has been tested to work with the following browsers in optimal conditions in under 3 seconds:
|Browser||Operating System||Time to Exploit||Rebinding Strategy||Fetch Interval||Target Specification|
Singularity supports the following attack payloads:
simple-fetch-get.js): This sample payload makes a GET request to the root directory (‘/’) and shows the server response using the
fetchAPI. The goal of this payload is to function as example request to make additional contributions as easy as possible.
exposed-chrome-devtools.js): This payload demonstrates a remote code execution (RCE) vulnerability in Microsoft VS Code fixed in version 1.19.3. This payload can be adapted to exploit any software that exposes Chrome Dev Tools on
etcd.js): This payload retrieves the keys and values from the etcd key-value store.
pyethapp.js): Exploits the Python implementation of the Ethereum client Pyethapp to get the list of owned eth addresses and retrieve the balance of the first eth address.
rails-console-rce.js): Performs a remote code execution (RCE) attack on the Rails Web Console.
aws-metadata-exfil.js): Forces a headless browser to exfiltrate AWS metadata including private keys to a given host. Check the payload contents for additional details on how to setup the attack.
duplicati-rce.js): This payload exploits the Duplicati backup client and performs a remote code execution (RCE) attack. For this attack to work, parameter
payload-duplicati-rce.htmlmust be updated to point to a valid Duplicati backup containing the actual RCE payload, a shell script.
webpdb.js): A generic RCE payload to exploit
PDB, a python debugger exposed via websockets.
hook-and-control.js): Hijack target browsers and use them to access inaccessible resources from your own browser or other HTTP clients. You can retrieve the list of hooked browsers on the “soohooked” sub-domain of the Singularity manager host on port 3129 by default e.g. http://soohooked.rebinder.your.domain:3129/. To authenticate, submit the secret value dumped to the console by the Singularity server at startup.
jenkins-script-console.js): This payload exploits the Jenkins Script Console and displays the stored credentials.
docker-api.js): This payload exploits the Docker API and displays the
/etc/shadowfile of the Docker host.