Land #8186, Convert DNS Fuzzer to use bindata
William Webb
commit
c21d78b23b
|
|
@ -119,6 +119,9 @@ module Auxiliary::UDPScanner
|
||||||
# Send a packet to a given host and port
|
# Send a packet to a given host and port
|
||||||
def scanner_send(data, ip, port)
|
def scanner_send(data, ip, port)
|
||||||
|
|
||||||
|
# flatten any bindata objects
|
||||||
|
data = data.to_binary_s if data.respond_to?('to_binary_s')
|
||||||
|
|
||||||
resend_count = 0
|
resend_count = 0
|
||||||
sock = nil
|
sock = nil
|
||||||
begin
|
begin
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'bit-struct'
|
require 'bindata'
|
||||||
|
|
||||||
class MetasploitModule < Msf::Auxiliary
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
|
||||||
|
|
@ -53,44 +53,34 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
class Dns_header < BitStruct
|
class Dns_header < BinData::Record
|
||||||
unsigned :txid, 16, { :default => rand(0xffff) }
|
endian :big
|
||||||
unsigned :qr, 1, { :default => 0 }
|
uint16 :txid, initial_value: rand(0xffff)
|
||||||
unsigned :opcode, 4, { :default => 0 }
|
bit1 :qr
|
||||||
unsigned :aa, 1, { :default => 0 }
|
bit4 :opcode
|
||||||
unsigned :tc, 1, { :default => 0 }
|
bit1 :aa
|
||||||
unsigned :rd, 1, { :default => 0 }
|
bit1 :tc
|
||||||
unsigned :ra, 1, { :default => 0 }
|
bit1 :rd
|
||||||
unsigned :z, 3, { :default => 0 }
|
bit1 :ra
|
||||||
unsigned :rcode, 4, { :default => 0 }
|
bit3 :z
|
||||||
unsigned :questions, 16, { :default => 1 }
|
bit4 :rcode
|
||||||
unsigned :answerRR, 16, { :default => 0 }
|
uint16 :questions, initial_value: 1
|
||||||
unsigned :authorityRR, 16, { :default => 0 }
|
uint16 :answerRR
|
||||||
unsigned :additionalRR, 16, { :default => 0 }
|
uint16 :authorityRR
|
||||||
rest :payload
|
uint16 :additionalRR
|
||||||
|
rest :payload
|
||||||
def initialize(*args)
|
|
||||||
@options = []
|
|
||||||
super
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
class Dns_add_rr < BitStruct
|
class Dns_add_rr < BinData::Record
|
||||||
unsigned :name, 8, { :default => 0 }
|
endian :big
|
||||||
unsigned :type, 16, { :default => 0x0029 }
|
uint8 :name
|
||||||
unsigned :payloadsize, 16, { :default => 0x1000 }
|
uint16 :rr_type, initial_value: 0x0029
|
||||||
unsigned :highercode, 8, { :default => 0 }
|
uint16 :payloadsize, initial_value: 0x1000
|
||||||
unsigned :ednsversion, 8, { :default => 0 }
|
uint8 :highercode
|
||||||
unsigned :zlow, 8, { :default => 0 }
|
uint8 :ednsversion
|
||||||
unsigned :zhigh,8, { :default => 0x80 }
|
uint8 :zlow
|
||||||
unsigned :datalength, 16, { :default => 0 }
|
uint8 :zhigh, initial_value: 0x80
|
||||||
|
uint16 :datalength
|
||||||
def initialize(*args)
|
|
||||||
@options = []
|
|
||||||
super
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def msg
|
def msg
|
||||||
|
|
@ -124,21 +114,24 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
domain << "."
|
domain << "."
|
||||||
domain << @domain
|
domain << @domain
|
||||||
end
|
end
|
||||||
|
|
||||||
splitFQDN = domain.split('.')
|
splitFQDN = domain.split('.')
|
||||||
payload = splitFQDN.inject("") { |a,x| a + [x.length,x].pack("CA*") }
|
payload = splitFQDN.inject("") { |a,x| a + [x.length,x].pack("CA*") }
|
||||||
pkt = Dns_header.new
|
pkt = Dns_header.new
|
||||||
pkt.txid = rand(0xffff)
|
pkt.txid = rand(0xffff)
|
||||||
pkt.opcode = 0x0000
|
pkt.opcode = 0x0000
|
||||||
pkt.payload = payload + "\x00" + "\x00\x01" + "\x00\x01"
|
pkt.payload = payload + "\x00" + "\x00\x01" + "\x00\x01"
|
||||||
testingPkt = pkt.to_s
|
testingPkt = pkt.to_binary_s
|
||||||
udp_sock.put(testingPkt) if method == "UDP"
|
|
||||||
sock.put(testingPkt) if method == "TCP"
|
|
||||||
|
|
||||||
res, addr = udp_sock.recvfrom(65535,5) if method == "UDP"
|
if method == "UDP"
|
||||||
res, addr = sock.get_once(-1,5) if method == "TCP"
|
udp_sock.put(testingPkt)
|
||||||
|
res, addr = udp_sock.recvfrom(65535)
|
||||||
disconnect_udp if method == "UDP"
|
disconnect_udp
|
||||||
disconnect if method == "TCP"
|
elsif method == "TCP"
|
||||||
|
sock.put(testingPkt)
|
||||||
|
res, addr = sock.get_once(-1, 20)
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
|
|
||||||
if res && res.empty?
|
if res && res.empty?
|
||||||
print_error("#{msg} The remote server is not responding to DNS requests.")
|
print_error("#{msg} The remote server is not responding to DNS requests.")
|
||||||
|
|
@ -275,9 +268,9 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
if dnssec
|
if dnssec
|
||||||
dnssecpkt = Dns_add_rr.new
|
dnssecpkt = Dns_add_rr.new
|
||||||
pkt.additionalRR = 1
|
pkt.additionalRR = 1
|
||||||
pkt = pkt + dnssecpkt
|
pkt.payload = dnssecpkt.to_binary_s
|
||||||
end
|
end
|
||||||
return pkt
|
return pkt.to_binary_s
|
||||||
end
|
end
|
||||||
|
|
||||||
def dns_send(data,method)
|
def dns_send(data,method)
|
||||||
|
|
@ -302,7 +295,12 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
return true
|
return true
|
||||||
elsif @failCount >= 3
|
elsif @failCount >= 3
|
||||||
if dns_alive(method) == false
|
if dns_alive(method) == false
|
||||||
print_error("#{msg} DNS is DOWN since the request:\n#{@lastdata.unpack('H*')}")
|
if @lastdata
|
||||||
|
print_error("#{msg} DNS is DOWN since the request:")
|
||||||
|
print_error(lastdata.unpack('H*'))
|
||||||
|
else
|
||||||
|
print_error("#{msg} DNS is DOWN")
|
||||||
|
end
|
||||||
return false
|
return false
|
||||||
else
|
else
|
||||||
return true
|
return true
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue