489 lines
16 KiB
Ruby
489 lines
16 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'bindata'
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
include Msf::Exploit::Remote::Udp
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Auxiliary::Fuzzer
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'DNS and DNSSEC Fuzzer',
|
|
'Description' => %q{
|
|
This module will connect to a DNS server and perform DNS and
|
|
DNSSEC protocol-level fuzzing. Note that this module may inadvertently
|
|
crash the target server.
|
|
},
|
|
'Author' => [ 'pello <fropert[at]packetfault.org>' ],
|
|
'License' => MSF_LICENSE
|
|
)
|
|
|
|
register_options([
|
|
Opt::RPORT(53),
|
|
OptInt.new('STARTSIZE', [ false, "Fuzzing string startsize.",0]),
|
|
OptInt.new('ENDSIZE', [ false, "Max Fuzzing string size. (L2 Frame size)",500]),
|
|
OptInt.new('STEPSIZE', [ false, "Increment fuzzing string each attempt.",100]),
|
|
OptInt.new('ERRORHDR', [ false, "Introduces byte error in the DNS header.", 0]),
|
|
OptBool.new('CYCLIC', [ false, "Use Cyclic pattern instead of A's (fuzzing payload).",true]),
|
|
OptInt.new("ITERATIONS", [true, "Number of iterations to run by test case", 5]),
|
|
OptString.new('DOMAIN', [ false, "Force DNS zone domain name."]),
|
|
OptString.new('IMPORTENUM', [ false, "Import dns_enum database output and automatically use existing RR."]),
|
|
OptEnum.new('METHOD', [false, 'Underlayer protocole to use', 'UDP', ['UDP', 'TCP', 'AUTO']]),
|
|
OptBool.new('DNSSEC', [ false, "Add DNSsec to each question (UDP payload size, EDNS0, ...)",false]),
|
|
OptBool.new('TRAILINGNUL', [ false, "NUL byte terminate DNS names",true]),
|
|
OptBool.new('RAWPADDING', [ false, "Generate totally random data from STARTSIZE to ENDSIZE",false]),
|
|
OptString.new('OPCODE', [ false, "Comma separated list of opcodes to fuzz. Leave empty to fuzz all fields.",'' ]),
|
|
# OPCODE accepted values: QUERY,IQUERY,STATUS,UNASSIGNED,NOTIFY,UPDATE
|
|
OptString.new('CLASS', [ false, "Comma separated list of classes to fuzz. Leave empty to fuzz all fields.",'' ]),
|
|
# CLASS accepted values: IN,CH,HS,NONE,ANY
|
|
OptString.new('RR', [ false, "Comma separated list of requests to fuzz. Leave empty to fuzz all fields.",'' ])
|
|
# RR accepted values: A,CNAME,MX,PTR,TXT,AAAA,HINFO,SOA,NS,WKS,RRSIG,DNSKEY,DS,NSEC,NSEC3,NSEC3PARAM
|
|
# RR accepted values: AFSDB,ISDN,RP,RT,X25,PX,SRV,NAPTR,MD,MF,MB,MG,MR,NULL,MINFO,NSAP,NSAP-PTR,SIG
|
|
# RR accepted values: KEY,GPOS,LOC,NXT,EID,NIMLOC,ATMA,KX,CERT,A6,DNAME,SINK,OPT,APL,SSHFP,IPSECKEY
|
|
# RR accepted values: DHCID,HIP,NINFO,RKEY,TALINK,SPF,UINFO,UID,GID,UNSPEC,TKEY,TSIG,IXFR,AXFR,MAILB
|
|
# RR accepted values: MAIL,*,TA,DLV,RESERVED
|
|
])
|
|
end
|
|
|
|
class Dns_header < BinData::Record
|
|
endian :big
|
|
uint16 :txid, initial_value: rand(0xffff)
|
|
bit1 :qr
|
|
bit4 :opcode
|
|
bit1 :aa
|
|
bit1 :tc
|
|
bit1 :rd
|
|
bit1 :ra
|
|
bit3 :z
|
|
bit4 :rcode
|
|
uint16 :questions, initial_value: 1
|
|
uint16 :answerRR
|
|
uint16 :authorityRR
|
|
uint16 :additionalRR
|
|
rest :payload
|
|
end
|
|
|
|
class Dns_add_rr < BinData::Record
|
|
endian :big
|
|
uint8 :name
|
|
uint16 :rr_type, initial_value: 0x0029
|
|
uint16 :payloadsize, initial_value: 0x1000
|
|
uint8 :highercode
|
|
uint8 :ednsversion
|
|
uint8 :zlow
|
|
uint8 :zhigh, initial_value: 0x80
|
|
uint16 :datalength
|
|
end
|
|
|
|
def msg
|
|
"#{rhost}:#{rport} - DNS -"
|
|
end
|
|
|
|
def check_response_construction(pkt)
|
|
# check if RCODE is not in the unassigned/reserved range
|
|
if pkt[4].to_i >= 0x17 || (pkt[4].to_i >= 0x0b && pkt[4].to_i <= 0x0f)
|
|
print_error("#{msg} Server replied incorrectly to the following request:\n#{@lastdata.unpack('H*')}")
|
|
return false
|
|
else
|
|
return true
|
|
end
|
|
end
|
|
|
|
def dns_alive(method)
|
|
connect_udp if method == "UDP" || method == "AUTO"
|
|
connect if method == "TCP"
|
|
|
|
payload = ""
|
|
domain = ""
|
|
if @domain == nil
|
|
domain << Rex::Text.rand_text_alphanumeric(rand(2)+2)
|
|
domain << "."
|
|
domain << Rex::Text.rand_text_alphanumeric(rand(6)+3)
|
|
domain << "."
|
|
domain << Rex::Text.rand_text_alphanumeric(2)
|
|
else
|
|
domain << Rex::Text.rand_text_alphanumeric(rand(2)+2)
|
|
domain << "."
|
|
domain << @domain
|
|
end
|
|
|
|
splitFQDN = domain.split('.')
|
|
payload = splitFQDN.inject("") { |a,x| a + [x.length,x].pack("CA*") }
|
|
pkt = Dns_header.new
|
|
pkt.txid = rand(0xffff)
|
|
pkt.opcode = 0x0000
|
|
pkt.payload = payload + "\x00" + "\x00\x01" + "\x00\x01"
|
|
testingPkt = pkt.to_binary_s
|
|
|
|
if method == "UDP"
|
|
udp_sock.put(testingPkt)
|
|
res, addr = udp_sock.recvfrom(65535)
|
|
disconnect_udp
|
|
elsif method == "TCP"
|
|
sock.put(testingPkt)
|
|
res, addr = sock.get_once(-1, 20)
|
|
disconnect
|
|
end
|
|
|
|
if res && res.empty?
|
|
print_error("#{msg} The remote server is not responding to DNS requests.")
|
|
return false
|
|
else
|
|
return true
|
|
end
|
|
end
|
|
|
|
def fuzz_padding(payload, size)
|
|
padding = size - payload.length
|
|
if padding <= 0 then return payload end
|
|
if datastore['CYCLIC']
|
|
@fuzzdata = Rex::Text.rand_text_alphanumeric(padding)
|
|
else
|
|
@fuzzdata = 'A' * padding
|
|
end
|
|
payload = payload.ljust(padding, @fuzzdata)
|
|
return payload
|
|
end
|
|
|
|
def corrupt_header(pkt,nb)
|
|
len = pkt.length - 1
|
|
for i in 0..nb - 1
|
|
selectByte = rand(len)
|
|
pkt[selectByte] = [rand(255).to_s].pack('H')
|
|
end
|
|
return pkt
|
|
end
|
|
|
|
def random_payload(size)
|
|
pkt = Array.new
|
|
for i in 0..size - 1
|
|
pkt[i] = [rand(255).to_s].pack('H')
|
|
end
|
|
return pkt
|
|
end
|
|
|
|
def setup_fqdn(domain,entry)
|
|
if domain == nil
|
|
domain = ""
|
|
domain << Rex::Text.rand_text_alphanumeric(rand(62)+2)
|
|
domain << "."
|
|
domain << Rex::Text.rand_text_alphanumeric(rand(61)+3)
|
|
domain << "."
|
|
domain << Rex::Text.rand_text_alphanumeric(rand(62)+2)
|
|
elsif @dnsfile
|
|
domain = entry + "." + domain
|
|
else
|
|
domain = Rex::Text.rand_text_alphanumeric(rand(62)+2) + "." + domain
|
|
end
|
|
return domain
|
|
end
|
|
|
|
def import_enum_data(dnsfile)
|
|
enumdata = Array.new(count = File.foreach(dnsfile).inject(0) {|c, line| c+1}, 0)
|
|
idx = 0
|
|
File.open(dnsfile,"rb").each_line do |line|
|
|
line = line.split(",")
|
|
enumdata[idx] = Hash.new
|
|
enumdata[idx][:name] = line[0].strip
|
|
enumdata[idx][:rr] = line[1].strip
|
|
enumdata[idx][:class] = line[2].strip
|
|
idx = idx + 1
|
|
end
|
|
return enumdata
|
|
end
|
|
|
|
def setup_nsclass(nsclass)
|
|
classns = ""
|
|
for idx in nsclass
|
|
classns << {
|
|
"IN" => 0x0001, "CH" => 0x0003, "HS" => 0x0004,
|
|
"NONE" => 0x00fd, "ANY" => 0x00ff
|
|
}.values_at(idx).pack("n")
|
|
end
|
|
return classns
|
|
end
|
|
|
|
def setup_opcode(nsopcode)
|
|
opcode = ""
|
|
for idx in nsopcode
|
|
opcode << {
|
|
"QUERY" => 0x0000, "IQUERY" => 0x0001, "STATUS" => 0x0002,
|
|
"UNASSIGNED" => 0x0003, "NOTIFY" => 0x0004, "UPDATE" => 0x0005
|
|
}.values_at(idx).pack("n")
|
|
end
|
|
return opcode
|
|
end
|
|
|
|
def setup_reqns(nsreq)
|
|
reqns= ""
|
|
for idx in nsreq
|
|
reqns << {
|
|
"A" => 0x0001, "NS" => 0x0002, "MD" => 0x0003, "MF" => 0x0004,
|
|
"CNAME" => 0x0005, "SOA" => 0x0006, "MB" => 0x0007, "MG" => 0x0008,
|
|
"MR" => 0x0009, "NULL" => 0x000a, "WKS" => 0x000b, "PTR" => 0x000c,
|
|
"HINFO" => 0x000d, "MINFO" => 0x000e, "MX" => 0x000f, "TXT" => 0x0010,
|
|
"RP" => 0x0011, "AFSDB" => 0x0012, "X25" => 0x0013, "ISDN" => 0x0014,
|
|
"RT" => 0x0015, "NSAP" => 0x0016, "NSAP-PTR" => 0x0017, "SIG" => 0x0018,
|
|
"KEY" => 0x0019, "PX" => 0x001a, "GPOS" => 0x001b, "AAAA" => 0x001c,
|
|
"LOC" => 0x001d, "NXT" => 0x001e, "EID" => 0x001f, "NIMLOC" => 0x0020,
|
|
"SRV" => 0x0021, "ATMA" => 0x0022, "NAPTR" => 0x0023, "KX" => 0x0024,
|
|
"CERT" => 0x0025, "A6" => 0x0026, "DNAME" => 0x0027, "SINK" => 0x0028,
|
|
"OPT" => 0x0029, "APL" => 0x002a, "DS" => 0x002b, "SSHFP" => 0x002c,
|
|
"IPSECKEY" => 0x002d, "RRSIG" => 0x002e, "NSEC" => 0x002f, "DNSKEY" => 0x0030,
|
|
"DHCID" => 0x0031, "NSEC3" => 0x0032, "NSEC3PARAM" => 0x0033, "HIP" => 0x0037,
|
|
"NINFO" => 0x0038, "RKEY" => 0x0039, "TALINK" => 0x003a, "SPF" => 0x0063,
|
|
"UINFO" => 0x0064, "UID" => 0x0065, "GID" => 0x0066, "UNSPEC" => 0x0067,
|
|
"TKEY" => 0x00f9, "TSIG" => 0x00fa, "IXFR" => 0x00fb, "AXFR" => 0x00fc,
|
|
"MAILA" => 0x00fd, "MAILB" => 0x00fe, "*" => 0x00ff, "TA" => 0x8000,
|
|
"DLV" => 0x8001, "RESERVED" => 0xffff
|
|
}.values_at(idx).pack("n")
|
|
end
|
|
return reqns
|
|
end
|
|
|
|
def build_packet(dnsOpcode,dnssec,trailingnul,reqns,classns,payload)
|
|
pkt = Dns_header.new
|
|
pkt.opcode = dnsOpcode
|
|
if trailingnul
|
|
if @dnsfile
|
|
pkt.payload = payload + "\x00" + reqns + classns
|
|
else
|
|
pkt.payload = payload + "\x00" + [reqns].pack("n") + [classns].pack("n")
|
|
end
|
|
else
|
|
if @dnsfile
|
|
pkt.payload = payload + [(rand(255) + 1).to_s].pack('H') + reqns + classns
|
|
else
|
|
pkt.payload = payload + [(rand(255) + 1).to_s].pack('H') + [dnsReq].pack("n") + [dnsClass].pack("n")
|
|
end
|
|
end
|
|
if dnssec
|
|
dnssecpkt = Dns_add_rr.new
|
|
pkt.additionalRR = 1
|
|
pkt.payload = dnssecpkt.to_binary_s
|
|
end
|
|
return pkt.to_binary_s
|
|
end
|
|
|
|
def dns_send(data,method)
|
|
method = "UDP" if (method == "AUTO" && data.length < 512)
|
|
method = "TCP" if (method == "AUTO" && data.length >= 512)
|
|
|
|
connect_udp if method == "UDP"
|
|
connect if method == "TCP"
|
|
udp_sock.put(data) if method == "UDP"
|
|
sock.put(data) if method == "TCP"
|
|
|
|
res, addr = udp_sock.recvfrom(65535,1) if method == "UDP"
|
|
res, addr = sock.get_once(-1,1) if method == "TCP"
|
|
|
|
disconnect_udp if method == "UDP"
|
|
disconnect if method == "TCP"
|
|
|
|
if res && res.length == 0
|
|
@failCount += 1
|
|
if @failCount == 1
|
|
@probablyVuln = @lastdata if @lastdata != nil
|
|
return true
|
|
elsif @failCount >= 3
|
|
if dns_alive(method) == false
|
|
if @lastdata
|
|
print_error("#{msg} DNS is DOWN since the request:")
|
|
print_error(lastdata.unpack('H*'))
|
|
else
|
|
print_error("#{msg} DNS is DOWN")
|
|
end
|
|
return false
|
|
else
|
|
return true
|
|
end
|
|
else
|
|
return true
|
|
end
|
|
elsif res && res.length > 0
|
|
@lastdata = data
|
|
if res[3].to_i >= 0x8000 # ignore server response as a query
|
|
@failCount = 0
|
|
return true
|
|
end
|
|
if @rawpadding
|
|
@failCount = 0
|
|
return true
|
|
end
|
|
if check_response_construction(res)
|
|
@failCount = 0
|
|
return true
|
|
else
|
|
return false
|
|
end
|
|
end
|
|
end
|
|
|
|
def fix_variables
|
|
@fuzz_opcode = datastore['OPCODE'].blank? ? "QUERY,IQUERY,STATUS,UNASSIGNED,NOTIFY,UPDATE" : datastore['OPCODE']
|
|
@fuzz_class = datastore['CLASS'].blank? ? "IN,CH,HS,NONE,ANY" : datastore['CLASS']
|
|
fuzz_rr_queries = "A,NS,MD,MF,CNAME,SOA,MB,MG,MR,NULL,WKS,PTR," <<
|
|
"HINFO,MINFO,MX,TXT,RP,AFSDB,X25,ISDN,RT," <<
|
|
"NSAP,NSAP-PTR,SIG,KEY,PX,GPOS,AAAA,LOC,NXT," <<
|
|
"EID,NIMLOC,SRV,ATMA,NAPTR,KX,CERT,A6,DNAME," <<
|
|
"SINK,OPT,APL,DS,SSHFP,IPSECKEY,RRSIG,NSEC," <<
|
|
"DNSKEY,DHCID,NSEC3,NSEC3PARAM,HIP,NINFO,RKEY," <<
|
|
"TALINK,SPF,UINFO,UID,GID,UNSPEC,TKEY,TSIG," <<
|
|
"IXFR,AXFR,MAILA,MAILB,*,TA,DLV,RESERVED"
|
|
@fuzz_rr = datastore['RR'].blank? ? fuzz_rr_queries : datastore['RR']
|
|
end
|
|
|
|
def run_host(ip)
|
|
msg = "#{ip}:#{rhost} - DNS -"
|
|
begin
|
|
@lastdata = nil
|
|
@probablyVuln = nil
|
|
@startsize = datastore['STARTSIZE']
|
|
@stepsize = datastore['STEPSIZE']
|
|
@endsize = datastore['ENDSIZE']
|
|
@underlayerProtocol = datastore['METHOD']
|
|
@failCount = 0
|
|
@domain = datastore['DOMAIN']
|
|
@dnsfile = datastore['IMPORTENUM']
|
|
@rawpadding = datastore['RAWPADDING']
|
|
iter = datastore['ITERATIONS']
|
|
dnssec = datastore['DNSSEC']
|
|
errorhdr = datastore['ERRORHDR']
|
|
trailingnul = datastore['TRAILINGNUL']
|
|
|
|
fix_variables
|
|
|
|
if !dns_alive(@underlayerProtocol) then return false end
|
|
|
|
print_status("#{msg} Fuzzing DNS server, this may take a while.")
|
|
|
|
if @startsize < 12 && @startsize > 0
|
|
print_status("#{msg} STARTSIZE must be at least 12. STARTSIZE value has been modified.")
|
|
@startsize = 12
|
|
end
|
|
|
|
if @rawpadding
|
|
if @domain == nil
|
|
print_status("DNS Fuzzer: DOMAIN could be set for health check but not mandatory.")
|
|
end
|
|
nsopcode=@fuzz_opcode.split(",")
|
|
opcode = setup_opcode(nsopcode)
|
|
opcode.unpack("n*").each do |dnsOpcode|
|
|
1.upto(iter) do
|
|
while @startsize <= @endsize
|
|
data = random_payload(@startsize).to_s
|
|
data[2] = 0x0
|
|
data[3] = dnsOpcode
|
|
if !dns_send(data,@underlayerProtocol) then return false end
|
|
@lastdata = data
|
|
@startsize += @stepsize
|
|
end
|
|
@startsize = datastore['STARTSIZE']
|
|
end
|
|
end
|
|
return
|
|
end
|
|
|
|
if @dnsfile
|
|
if @domain == nil
|
|
print_error("DNS Fuzzer: Domain variable must be set.")
|
|
return
|
|
end
|
|
|
|
dnsenumdata = import_enum_data(@dnsfile)
|
|
nsreq = []
|
|
nsclass = []
|
|
nsentry = []
|
|
for req, value in dnsenumdata
|
|
nsreq << req[:rr]
|
|
nsclass << req[:class]
|
|
nsentry << req[:name]
|
|
end
|
|
nsopcode=@fuzz_opcode.split(",")
|
|
else
|
|
nsreq=@fuzz_rr.split(",")
|
|
nsopcode=@fuzz_opcode.split(",")
|
|
nsclass=@fuzz_class.split(",")
|
|
begin
|
|
classns = setup_nsclass(nsclass)
|
|
raise ArgumentError, "Invalid CLASS: #{nsclass.inspect}" unless classns
|
|
opcode = setup_opcode(nsopcode)
|
|
raise ArgumentError, "Invalid OPCODE: #{opcode.inspect}" unless nsopcode
|
|
reqns = setup_reqns(nsreq)
|
|
raise ArgumentError, "Invalid RR: #{nsreq.inspect}" unless nsreq
|
|
rescue ::Exception => e
|
|
print_error("DNS Fuzzer error, aborting: #{e}")
|
|
return
|
|
end
|
|
end
|
|
|
|
for question in nsreq
|
|
case question
|
|
when "RRSIG", "DNSKEY", "DS", "NSEC", "NSEC3", "NSEC3PARAM"
|
|
dnssec = true
|
|
end
|
|
end
|
|
|
|
if @dnsfile
|
|
classns = setup_nsclass(nsclass)
|
|
reqns = setup_reqns(nsreq)
|
|
opcode = setup_opcode(nsopcode)
|
|
opcode.unpack("n*").each do |dnsOpcode|
|
|
for i in 0..nsentry.length - 1
|
|
reqns = setup_reqns(nsreq[i])
|
|
classns = setup_nsclass(nsclass[i])
|
|
1.upto(iter) do
|
|
payload = ""
|
|
nsdomain = setup_fqdn(@domain,nsentry[i])
|
|
splitFQDN = nsdomain.split('.')
|
|
payload = splitFQDN.inject("") { |a,x| a + [x.length,x].pack("CA*") }
|
|
pkt = build_packet(dnsOpcode,dnssec,trailingnul,reqns,classns,payload)
|
|
pkt = corrupt_header(pkt,errorhdr) if errorhdr > 0
|
|
if @startsize == 0
|
|
if !dns_send(pkt,@underlayerProtocol) then return end
|
|
else
|
|
while @startsize <= @endsize
|
|
pkt = fuzz_padding(pkt, @startsize)
|
|
if !dns_send(pkt,@underlayerProtocol) then return end
|
|
@startsize += @stepsize
|
|
end
|
|
@startsize = datastore['STARTSIZE']
|
|
end
|
|
end
|
|
end
|
|
end
|
|
else
|
|
classns.unpack("n*").each do |dnsClass|
|
|
opcode.unpack("n*").each do |dnsOpcode|
|
|
reqns.unpack("n*").each do |dnsReq|
|
|
1.upto(iter) do
|
|
payload = ""
|
|
nsdomain = setup_fqdn(@domain,"")
|
|
splitFQDN = nsdomain.split('.')
|
|
payload = splitFQDN.inject("") { |a,x| a + [x.length,x].pack("CA*") }
|
|
pkt = build_packet(dnsOpcode,dnssec,trailingnul,dnsReq,dnsClass,payload)
|
|
pkt = corrupt_header(pkt,errorhdr) if errorhdr > 0
|
|
if @startsize == 0
|
|
if !dns_send(pkt,@underlayerProtocol) then return end # If then return end?
|
|
else
|
|
while @startsize <= @endsize
|
|
pkt = fuzz_padding(pkt, @startsize)
|
|
if !dns_send(pkt,@underlayerProtocol) then return end
|
|
@startsize += @stepsize
|
|
end
|
|
@startsize = datastore['STARTSIZE']
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|