DNS Multiple Race Exploiter simiplifies exploitation of the latest DNS vulnerability and even attempts to poison patched servers. According to the author:

Patched DNS servers randomize the UDP source port number, however, that will not eliminate the flaw; it will only increase the time required to poison the cache. Poisoning unpatched systems would take a period seconds, however, poisoning patched systems would take a period of hours.

Unlike the previously released tools that work on poisioning uncached “NS” and “A” records, this tool can overwrite any A record by using a CNAME response. 

The tool uses a static TTL of 0x7BEDABED in all spoofed replies, which should be sufficient to create an IDS/IPS signature to protect against the script kiddies out there.

cname_rr = (struct cname_RR *) (payload + sizeof(struct dns_hdr) + hostname->size + sizeof(struct query_RR));
cname_rr->name = htons(0xC00C);
cname_rr->type = htons(0×0005);
cname_rr->clss = htons(0×0001);
cname_rr->ttl = htonl(0x7BEDABED);
cname_rr->length = htons(entryname->size);

View Tahir's Profile      Subscribe via RSS