BIND9\u88ab\u516c\u5f00\u79f0\u4e3a\u53ef\u53d7\u5230DoS\u653b\u51fb\u7684\u6f0f\u6d1e
\n– http:\/\/jprs.jp\/tech\/security\/2015-07-08-bind9-vuln-dnssec-validation.html<\/p>\n
\u7531\u4e8e\u4e25\u91cd\u6027\u88ab\u6807\u8bb0\u4e3a\u201c\u4e25\u91cd\u201d\uff0c\u6240\u4ee5\u6211\u51b3\u5b9a\u81ea\u5df1\u9a8c\u8bc1\u4e00\u4e0b\u3002
\n\u867d\u7136PoC\u672c\u8eab\u5199\u5f97\u6709\u4e9b\u65e9\uff0c\u5bfc\u81f4\u6587\u7ae0\u63a8\u8fdf\u53d1\u5e03\uff0c\u4f46\u6b63\u597d\u5728\u8fd9\u671f\u95f4\u51fa\u73b0\u4e86\u4e00\u7bc7\u6613\u61c2\u7684\u6587\u7ae0\uff0c\u56e0\u6b64\u6211\u4f1a\u8ba9\u90a3\u7bc7\u6587\u7ae0\u89e3\u91ca\u539f\u7406\uff0c\u800c\u672c\u6587\u5219\u4f1a\u89e3\u91ca\u9a8c\u8bc1\u7684\u65b9\u6cd5\u3002
\n\u6211\u77e5\u9053\u662f\u5426\u516c\u5f00PoC\u4e5f\u6709\u4e89\u8bae\uff0c\u4f46\u56e0\u4e3a\u5df2\u7ecf\u5728\u8f83\u957f\u65f6\u95f4\u524d\u516c\u5f00\u8fc7\uff0c\u6240\u4ee5\u6211\u8ba4\u4e3a\u6ca1\u6709\u95ee\u9898\u3002<\/p>\n
<\/p>\n
<\/p>\n
9.10.1-P1<\/p>\n
\u30db\u30b9\u30c8OS<\/p>\n
Mac OSX 10.10.4<\/p>\n
\u30b2\u30b9\u30c8OS<\/p>\n
CentOS 6.5<\/p>\n
Scapy<\/p>\n
2.3.1<\/p>\n
$<\/span> vagrant box add centos65-x86_64 https:\/\/github.com\/2creatives\/vagrant-centos\/releases\/download\/v6.5.3\/centos65-x86_64-20140116.box\r\n$<\/span> mkdir <\/span>CVE-2015-5477\r\n$<\/span> cd <\/span>CVE-2015-5477\r\n$<\/span> vagrant init centos65-x86_64\r\n$<\/span> vagrant up \r\n$<\/span> vagrant ssh\r\n<\/code><\/pre>\n\u5b89\u88c5\u5fc5\u8981\u7684\u4e1c\u897f\u6211\u4f1a\u5148\u5b89\u88c5\u4e00\u4e9b\u5fc5\u8981\u7684\u7269\u54c1\u548c\u6709\u7528\u7684\u4e1c\u897f\u3002<\/p>\n[vagrant@vagrant-centos65 ~]$<\/span> sudo <\/span>su\r\n[root@vagrant-centos65 vagrant]#<\/span> cd<\/span>\r\n[root@vagrant-centos65 ~]#<\/span> yum -y<\/span> install <\/span>openssl-devel perl-Net-DNS\r\n[root@vagrant-centos65 ~]#<\/span> yum -y<\/span> install <\/span>wget bind-utils vim\r\n<\/code><\/pre>\n\u4ece\u6e90\u6587\u4ef6\u5b89\u88c5 BIND\u7531\u4e8eVM\u73af\u5883\u5df2\u7ecf\u6784\u5efa\u5b8c\u6210\uff0c\u73b0\u5728\u6211\u4eec\u5c06\u4ece\u6e90\u6587\u4ef6\u5f00\u59cb\u5b89\u88c5BIND\u3002<\/p>\n\u4e0b\u8f7d\u6e90\u4ee3\u7801\u6587\u4ef6<\/p>\n[root@vagrant-centos65 ~]#<\/span> cd<\/span> \/usr\/local\/src\r\n[root@vagrant-centos65 src]#<\/span> wget ftp:\/\/ftp.isc.org\/isc\/bind9\/9.10.1-P1\/bind-9.10.1-P1.tar.gz\r\n<\/code><\/pre>\n\u5c06\u6e90\u6587\u4ef6\u89e3\u538b\u7f29<\/p>\n[root@vagrant-centos65 src]#<\/span> tar <\/span>zxvf bind-9.10.1-P1.tar.gz\r\n[root@vagrant-centos65 src]#<\/span> cd <\/span>bind-9.10.1-P1\r\n<\/code><\/pre>\n\u5b89\u88c5<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> .\/configure --prefix<\/span>=<\/span>\/var\/named\/chroot --enable-threads<\/span> --with-openssl<\/span>=<\/span>yes<\/span> --enable-openssl-version-check<\/span> --enable-ipv6<\/span>\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> chown<\/span> -R<\/span> root:root \/usr\/local\/src\/bind-9.10.1-P1\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> make\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> make install<\/span>\r\n<\/code><\/pre>\n\u786e\u8ba4\u6211\u4eec\u6700\u540e\u4f1a\u786e\u8ba4\u5b89\u88c5\u662f\u5426\u6210\u529f\u3002<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]# \/var\/named\/chroot\/sbin\/named -v\r\nBIND 9.10.1-P1\r\n<\/code><\/pre>\n\u53ea\u8981\u663e\u793a\u4e86BIND\u7684\u7248\u672c\uff0c\u5c31\u8bf4\u660e\u5df2\u7ecf\u5b89\u88c5\u6210\u529f\u4e86\u3002<\/p>\n
BIND\u7684\u914d\u7f6e\u73b0\u5728\u6211\u4eec\u8981\u8fdb\u884cBIND\u7684\u8bbe\u7f6e\u3002<\/p>\n\u521b\u5efa\u7528\u6237\u7ec4\u521b\u5efabind\u7528\u6237\u548c\u7ec4\u3002<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]# groupadd -g 25 bind\r\n[root@vagrant-centos65 bind-9.10.1-P1]# useradd -u 25 -g bind -d \/var\/named -c \"DNS BIND Named User\" -s \/sbin\/nologin bind\r\nuseradd: warning: the home directory already exists.\r\nNot copying any file from skel directory into it.\r\n<\/code><\/pre>\n\u521b\u5efa\u8bbe\u5907\u6587\u4ef6<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> mkdir<\/span> \/var\/named\/chroot\/dev\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> mknod<\/span> -m<\/span> 666 \/var\/named\/chroot\/dev\/null c 1 3\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> mknod<\/span> -m<\/span> 666 \/var\/named\/chroot\/dev\/random c 1 8\r\n<\/code><\/pre>\n\u521b\u5efarndc\u5bc6\u94a5<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> \/var\/named\/chroot\/sbin\/rndc-confgen -a<\/span>\r\nwrote key file \"\/var\/named\/chroot\/etc\/rndc.key\"\r\n<\/span><\/code><\/pre>\n\u521b\u5efa\u7528\u4e8e\u5b58\u50a8\u6570\u636e\u7684\u76ee\u5f55\u3002<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> mkdir<\/span> \/var\/named\/chroot\/data\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> mkdir<\/span> \/var\/named\/chroot\/var\/log\r\n<\/code><\/pre>\n\u521b\u5efanamed.conf\u6587\u4ef6
\n\u6211\u8ba1\u5212\u4ee5\u7f13\u5b58\u670d\u52a1\u5668\u4e3a\u76ee\u6807\u8fdb\u884c\u9a8c\u8bc1\uff0c\u56e0\u4e3a\u5728\u8fd9\u6b21\u6f0f\u6d1e\u4e2d\uff0c\u5185\u5bb9\u670d\u52a1\u5668\u548c\u7f13\u5b58\u670d\u52a1\u5668\u90fd\u4f1a\u53d7\u5230\u5f71\u54cd\u3002\u63a5\u4e0b\u6765\u5c06\u521b\u5efa\u4ee5\u4e0b\u914d\u7f6e\u6587\u4ef6\u3002\u6211\u53ea\u4f1a\u5199\u5165\u771f\u6b63\u5fc5\u8981\u7684\u6700\u57fa\u672c\u7684\u5185\u5bb9\u3002<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> vi \/var\/named\/chroot\/etc\/named.conf\r\n\r\nControls {\r\n<\/span> inet 127.0.0.1 allow { localhost;<\/span> }<\/span> keys {<\/span> rndc-key;<\/span> }<\/span>;<\/span>\r\n};<\/span>\r\n\r\ninclude \"\/etc\/rndc.key\";<\/span>\r\n\r\nacl \"internal-network\" {\r\n<\/span> localhost;<\/span>\r\n 127.0.0.1\/32;<\/span>\r\n 192.168.0.0\/16;<\/span>\r\n};<\/span>\r\n\r\noptions {\r\n<\/span> version \"unknown\";<\/span>\r\n hostname \"ns1.test.example.com\";<\/span>\r\n\r\n directory \"\/var\";<\/span>\r\n dump-file \"\/data\/cache_dump.db\";<\/span>\r\n statistics-file \"\/data\/named_status.dat\";<\/span>\r\n pid-file \"\/var\/run\/named\/named.pid\";<\/span>\r\n\r\n listen-on port 53 {\r\n<\/span> internal-network;<\/span>\r\n };<\/span>\r\n\r\n allow-query { internal-network;<\/span> }<\/span>;<\/span>\r\n\r\n recursion yes;<\/span>\r\n allow-recursion { internal-network;<\/span> }<\/span>;<\/span>\r\n\r\n notify yes;<\/span>\r\n max-transfer-time-in 60;<\/span>\r\n transfer-format many-answers;<\/span>\r\n transfers-in 10;<\/span>\r\n transfers-per-ns 2;<\/span>\r\n allow-transfer { none;<\/span> }<\/span>;<\/span>\r\n\r\n allow-update { none;<\/span> }<\/span>;<\/span>\r\n};<\/span>\r\n<\/code><\/pre>\n\u521b\u5efa\u7b26\u53f7\u94fe\u63a5<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> ln<\/span> -s<\/span> \/var\/named\/chroot\/etc\/rndc.key \/etc\/rndc.key\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> ln<\/span> -s<\/span> \/var\/named\/chroot\/etc\/named.conf \/etc\/named.conf\r\n<\/code><\/pre>\n\u521b\u5efa\u540d\u4e3a “named” \u7684\u6587\u4ef6<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> vi \/etc\/sysconfig\/named\r\nROOTDIR=\/var\/named\/chroot\r\nOPTIONS=-4\r\n<\/span><\/code><\/pre>\n\u5f00\u59cbBIND\u7531\u4e8e\u5df2\u7ecf\u5b8c\u6210BIND\u7684\u5b89\u88c5\uff0c\u73b0\u5728\u5c06\u542f\u52a8\u5b83\u3002<\/p>\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> \/usr\/local\/sbin\/named-checkconf \/var\/named\/chroot\/etc\/named.conf\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> chown<\/span> -R<\/span> bind<\/span>:bind \/var\/named\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> \/var\/named\/chroot\/sbin\/named -u<\/span> bind<\/span> -t<\/span> \/var\/named\/chroot -c<\/span> \/etc\/named.conf\r\n[root@vagrant-centos65 vagrant]#<\/span> ps awux | grep<\/span> -v<\/span> grep<\/span> | grep bind<\/span>\r\nrpc 1062 0.0 0.1 18976 892 ? Ss 14:10 0:00 rpcbind\r\nbind 2345 1.0 2.2 141164 13428 ? Ssl 14:35 0:00 \/var\/named\/chroot\/sbin\/named -u bind -t \/var\/named\/chroot -c \/etc\/named.conf\r\n<\/span><\/code><\/pre>\n\u5982\u679c\u50cf\u4e0a\u9762\u6240\u8ff0\u7684\u90a3\u6837\u542f\u52a8\u4e86named\uff0c\u5c31\u8868\u793a\u6210\u529f\u3002
\n\u5982\u679c\u6ca1\u6709\u542f\u52a8\uff0c\u8bf7\u786e\u8ba4\u662f\u5426\u6ca1\u6709\u51fa\u73b0\u9519\u8bef\u3002<\/p>\n
[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> less \/var\/log\/messages\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> less \/var\/named\/chroot\/var\/log\/alert.log\r\n[root@vagrant-centos65 bind-9.10.1-P1]#<\/span> less \/var\/named\/chroot\/var\/log\/named.log\r\n<\/code><\/pre>\n\u8106\u5f31\u6027\u9a8c\u8bc1 (cui ruo xing yan zheng)\u7531\u65bcBIND\u7684\u5b89\u88dd\u7d42\u65bc\u5b8c\u6210\uff0c\u6211\u5011\u5c07\u9032\u884c\u5f31\u9ede\u9a57\u8b49\u3002
\n\u5728\u9019\u500b\u5f31\u9ede\u4e2d\uff0c\u900f\u904e\u63d0\u51fa\u4ee5\u4e0b\u689d\u4ef6\u7684DNS\u67e5\u8a62\uff0c\u4f3c\u4e4e\u53ef\u4ee5\u9032\u884c\u62d2\u7d55\u670d\u52d9\u653b\u64ca\u3002<\/p>\n\n- \n
\u30af\u30a8\u30ea\u30ec\u30b3\u30fc\u30c9\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u306eType\u306bTKEY\u3092\u6307\u5b9a\u3059\u308b<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\u8ffd\u52a0\u30ec\u30b3\u30fc\u30c9\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u306f\u3001\u30af\u30a8\u30ea\u30ec\u30b3\u30fc\u30c9\u3068\u540c\u3058\u540d\u524d\u3092\u6301\u3064\u30ec\u30b3\u30fc\u30c9\u3092\u6307\u5b9a\u3059\u308b\uff08\u305f\u3060\u3057\u3001TKEY\u4ee5\u5916\uff09<\/ul>\n\u56e0\u6b64\uff0c\u672c\u6b21\u6211\u5011\u6253\u7b97\u4f7f\u7528Python\u7684\u5eabScapy\u4f86\u751f\u6210\u6eff\u8db3\u4e0a\u8ff0\u689d\u4ef6\u7684\u5c01\u5305\u3002<\/p>\n
\u66f4\u6539\u6865\u63a5\u8fde\u63a5
\n\u8fd9\u6b21\u6211\u4eec\u5c06\u4ece\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u5411\u865a\u62df\u673a\u64cd\u4f5c\u7cfb\u7edf\u6295\u63b7\u653b\u51fb\u6570\u636e\u5305\u8fdb\u884c\u9a8c\u8bc1\u3002
\n\u7531\u4e8e\u4f7f\u7528NAT\u4f1a\u5f88\u9ebb\u70e6\uff0c\u6240\u4ee5\u6211\u4eec\u5c06\u7f16\u8f91Vagrantfile\u5e76\u5207\u6362\u5230\u6865\u63a5\u6a21\u5f0f\u8fde\u63a5\u3002<\/p>\n$<\/span> vim Vagrantfile\r\n#<\/span>\u4ee5\u4e0b\u306e\u884c\u3092\u30b3\u30e1\u30f3\u30c8\u30a4\u30f3\u3059\u308b\r\nconfig.vm.network \"public_network\"\r\n<\/span><\/code><\/pre>\n\u7531\u4e8e\u66f4\u6539\u4e86Vagrantfile\uff0c\u56e0\u6b64\u9700\u8981\u91cd\u65b0\u542f\u52a8\u3002<\/p>\n
$<\/span> vagrant reload\r\n==><\/span> default: Attempting graceful shutdown of VM...\r\n==><\/span> default: Clearing any previously set <\/span>forwarded ports...\r\n==><\/span> default: Fixed port collision for <\/span>22 =><\/span> 2222. Now on port 2200.\r\n==><\/span> default: Clearing any previously set <\/span>network interfaces...\r\n==><\/span> default: Available bridged network interfaces:\r\n1) en0: Wi-Fi (AirPort)\r\n2) en1: Thunderbolt 1\r\n3) en2: Thunderbolt 2\r\n4) bridge0\r\n5) p2p0\r\n6) awdl0\r\n<\/span>==><\/span> default: When choosing an interface, it is usually the one that is\r\n==><\/span> default: being used to connect to the internet.\r\n default: Which interface should the network bridge to? 1\r\n\uff08\u4ee5\u4e0b\u7565\uff09\r\n<\/span><\/code><\/pre>\n\u7531\u4e8e\u9700\u8981\u6307\u5b9a\u8981\u8fde\u63a5\u7684\u63a5\u53e3\uff0c\u6240\u4ee5\u4f1a\u95ee\u4f60\u8981\u8fde\u63a5\u5230\u54ea\u4e2a\u63a5\u53e3\uff08\u8fd9\u6b21\u6211\u60f3\u6307\u5b9aen0\u63a5\u53e3\uff0c\u6240\u4ee5\u9009\u62e91\uff09\u3002<\/p>\n
\u5b89\u88c5Scapy\u7531\u4e8e\u4e3b\u673a\u64cd\u4f5c\u7cfb\u7edf\u662fMac\uff0c\u56e0\u6b64\u4ee5\u540e\u7684\u64cd\u4f5c\u5c06\u5728Mac\u7684\u7ec8\u7aef\u4e0a\u8fdb\u884c\u3002
\nScapy\u7684\u5b89\u88c5\u65b9\u6cd5\u53ef\u4ee5\u901a\u8fc7\u641c\u7d22\u5f97\u5230\uff0c\u4f46\u662f\u6211\u5c1d\u8bd5\u4e86\u4e00\u4e0b\u6ca1\u6709\u6210\u529f\uff0c\u6240\u4ee5\u6211\u6309\u7167\u4ee5\u4e0b\u6b65\u9aa4\u8fdb\u884c\u4e86\u5b89\u88c5\u3002<\/p>\n$ pip install dnet\r\n$ pip install http:\/\/ncu.dl.sourceforge.net\/project\/pylibpcap\/pylibpcap\/0.6.4\/pylibpcap-0.6.4.tar.gz\r\n$ pip install scapy\r\n<\/code><\/pre>\n\u6211\u4ee5\u4e3a\u53ea\u9700\u4f7f\u7528Scapy\u5c31\u80fd\u5b89\u88c5\uff0c\u4f46\u662f\u7531\u4e8e\u7f3a\u5c11dnet\u7b49\u6587\u4ef6\uff0c\u65e0\u6cd5\u987a\u5229\u4f7f\u7528\uff0c\u6240\u4ee5\u6211\u8fdb\u884c\u4e86\u5b89\u88c5\u3002<\/p>\n
\u521b\u5efa\u6570\u636e\u5305\u5728Scapy\u4e2d\uff0c\u63d0\u4f9b\u4e86\u7528\u4e8e\u521b\u5efaDNS\u6570\u636e\u5305\u7684\u7c7b\u3002
\n\u6b64\u5916\uff0c\u8fd8\u63d0\u4f9b\u4e86\u7528\u4e8e\u521b\u5efa\u67e5\u8be2\u8bb0\u5f55\uff08Query Record\uff09\u90e8\u5206\u548c\u9644\u52a0\u8bb0\u5f55\uff08Additional Record\uff09\u90e8\u5206\u7684\u7c7b\uff0c\u56e0\u6b64\u53ef\u4ee5\u65b9\u4fbf\u5730\u751f\u6210\u653b\u51fb\u6570\u636e\u5305\u3002
\n\u672c\u6b21\u6211\u4eec\u5c06\u751f\u6210\u5982\u4e0b\u6240\u793a\u7684DNS\u6570\u636e\u5305\u3002<\/p>\n\n- \n
\u30af\u30a8\u30ea\u30ec\u30b3\u30fc\u30c9<\/ul>\n<\/li>\n<\/ul>\nName : example.com
\nType : TKEY(249)<\/p>\n
\u8ffd\u52a0\u30ec\u30b3\u30fc\u30c9<\/p>\n
Name : example.com
\nType : TXT(16)<\/p>\n
\u901a\u8fc7\u8fd9\u6837\u505a\uff0c\u53ef\u4ee5\u6ee1\u8db3\u6700\u521d\u6240\u8ff0\u7684\u653b\u51fb\u6570\u636e\u5305\u7684\u6761\u4ef6\u3002
\n\u7136\u800c\uff0c\u7531\u4e8eScapy\u65e0\u6cd5\u6307\u5b9aTKEY\uff0c\u6240\u4ee5\u76f4\u63a5\u4f7f\u7528\u6570\u5b57\u8fdb\u884c\u4e86\u6307\u5b9a\u3002
\n\u5b9e\u9645\u7684\u4ee3\u7801\u5982\u4e0b\u6240\u793a\u3002<\/p>\n
#!\/usr\/bin\/python\r\n#coding:utf-8\r\n<\/span>\r\nimport<\/span> sys<\/span>\r\nfrom<\/span> scapy.all<\/span> import<\/span> *<\/span>\r\n\r\npkt<\/span> =<\/span> IP<\/span>(<\/span>dst<\/span>=<\/span>sys<\/span>.<\/span>argv<\/span>[<\/span>1<\/span>])<\/span> \/<\/span> UDP<\/span>(<\/span>dport<\/span>=<\/span>53<\/span>)<\/span> \/<\/span> DNS<\/span>(<\/span>qd<\/span>=<\/span>DNSQR<\/span>(<\/span>