Dailydave mailing list archives

Re: DNS and other fun.

From: marc_bevand () rapid7 com
Date: Tue, 29 Jul 2008 17:10:36 -0700

dailydave-bounces () lists immunitysec com wrote on 07/29/2008 01:59:51 PM:


If you're mucking with Marc Bevand's exploit in order to do some speed 
comparisons you may want to fix this line:
(sizeof(buf) is 4 since buf is a pointer, of course).

~   dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN,
~         (unsigned)(IP_LEN_MAX - (IP_HDR_LEN + UDP_HDR_LEN)), <--fixed.


Correct. BTW the same bug exists in build_query().

I'm not sure how having tcpreplay helps since all your packets are 
different (via TXID incrementing, which of course means you have to do 
your UDP checksum over). Is packet-loss the big problem you're seeing?


The Python exploit worked just fine, it was just slow... So slow at 
sending
spoofed replies it couldn't possibly cause packet loss. Although I have
never used tcpreplay, I assume it would help because what is slow is not
building/checksuming the packets but actually sending them, and to send
them tcpreplay probably issues a simple series of consecutive sendto()
calls without all the overhead imposed by scapy.

Importing psyco should make your Python code faster as well, although 
still REALLY slow compared to C (so far in my testing). People say that 
the public exploits don't work with Bind9 (even unpatched). Go Vixie and

Co! :>


I have had success exploiting BIND 9.3.4 and 9.5.0 in my lab. In my
experience the 2 most likely causes of exploit failures are:

o Domains with many authoritative servers are a bit harder to poison:
  try poisoning example.com (2) before yahoo.com (7). My exploit requires
  the attacker to predict which one is going to be used. The metasploit
  module spoofs replies from all of the authoritative servers, but this
  reduces the number of TXIDs it can bruteforce per DNS request.
o When the NS record is poisoned, the victim caching resolver will
  start to use it, but if it is unresponsive (eg. was poisoned with
  a dummy IP), the resolver will quickly re-fetch the legitimate NS
  records. The attacker might not even notice the poisoning was
  successful for a short period of time.

-marc
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

DNS and other fun. Dave Aitel (Jul 29)
- Re: DNS and other fun. H D Moore (Jul 29)
- Message not available
  - Re: DNS and other fun. H D Moore (Jul 29)
- Re: DNS and other fun. marc_bevand (Jul 29)