1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
|
/*
* ping-module for bscan.
* IDEA: add record-route and source-route feature
* and -p pattern [where can we save our time-struct then ?
*/
#include <bscan/bscan.h>
#include <bscan/module.h>
#include <bscan/system.h>
#include <stdio.h>
#ifndef MOD_NAME
#define MOD_NAME "mod_bind"
#endif
/*
* this is our query. This is a DNS-formated string
* <length1><string1><length2><string2><0>
*/
#define DNSTXTREQ "\007version\004bind"
static int process_rcv(struct _opt *);
static void add_dnshdr(unsigned char *);
static void add_dnstxthdr(unsigned char *, char *, u_int *);
static int isinit=0;
/*
* some variables from the binary-process
*/
extern int dlt_len;
extern u_char *align_buf;
extern unsigned short ip_options;
extern struct ip *ip;
extern struct Ether_header *eth;
extern u_int plen, pcaplen;
extern struct timeval *pts;
struct _dnshdr
{
u_short id; /* DNS packet ID */
u_short flags; /* DNS flags */
u_short num_q; /* Number of questions */
u_short num_answ_rr; /* Number of answer resource records */
u_short num_auth_rr; /* Number of authority resource records */
u_short num_addi_rr; /* Number of additional resource records */
};
struct _dnsanswr
{
u_short type;
u_short class;
u_short ttl1;
u_short ttl2;
u_short len;
};
/*
* static functions prototypes
*/
static int mdo_opt(int, char **, struct _opt *);
static void init_vars(struct _opt *);
/*
* print out usage informations
*/
void
musage()
{
printf ("\n"MOD_NAME"\n");
printf ("verson.bind chaos txt module\n");
printf (" -p <port>, destination port, default 53\n");
printf (" -o <port>, source port, default 53\n");
}
/*
* return 0 on success, != 0 on failure
*/
int
init(char **modname, int argc, char *argv[], struct _opt *opt)
{
#ifdef DEBUG
printf("MODULE INIT\n");
#endif
if (isinit)
return(-1);
*modname = MOD_NAME;
isinit = 1;
init_vars(opt);
if (mdo_opt(argc, argv, opt) != 0)
return(-1);
return(0);
}
/*
* fini-routine. called on cleanup
*/
int
fini()
{
#ifdef DEBUG
printf("MODULE FINI\n");
#endif
return(0);
}
/*
* Module entry point [entry]
* RMOD_OK: everything allright. send the packet out [if first]
* or do nothing [MOD_RCV].
* RMOD_SKIP: proceed with next IP without sending out the packet.
*/
int
callmdl(int entry, struct _opt *opt)
{
#ifdef DEBUG
printf("MODULE CALLMDL\n");
#endif
if (entry == MOD_FIRSTPKG)
{
add_dnstxthdr (opt->packet + ETH_SIZE + IP_SIZE + UDP_SIZE + sizeof(struct _dnshdr), DNSTXTREQ, &opt->pkg_len);
add_dnshdr (opt->packet + ETH_SIZE + IP_SIZE + UDP_SIZE);
add_udphdr (opt->packet + ETH_SIZE + IP_SIZE, &opt->nt, opt->pkg_len + sizeof(struct _dnshdr));
add_iphdr (opt->packet + ETH_SIZE, IPPROTO_UDP, &opt->nt, opt->pkg_len + UDP_SIZE + sizeof(struct _dnshdr));
opt->pkg_len += IP_SIZE + UDP_SIZE + sizeof(struct _dnshdr);
return(RMOD_OK);
}
if (entry == MOD_RCV)
process_rcv(opt);
return(RMOD_OK);
}
/*
***********************************************************
* Our OWN/static functions for THIS module *
***********************************************************
*/
/*
* initialize all local variables.
* We use some 'unused' variables of the masterprogramm
*/
static void
init_vars(struct _opt *opt)
{
opt->nt.sport = htons(53);
opt->nt.dport = htons(53);
}
/*
* LOCAL/STATIC function, only available in the module
* return 0 on success, != 0 on failure
*/
static int
mdo_opt(int argc, char *argv[], struct _opt *opt)
{
extern char *optarg;
/*extern int optind, opterr, optopt;*/
int c;
while ((c = getopt (argc, argv, "p:o:")) != -1)
{
switch (c)
{
case 'p':
opt->nt.dport = htons(atoi(optarg));
break;
case 'o':
opt->nt.sport = htons(atoi(optarg));
break;
case ':':
fprintf(stderr, "missing parameter\n");
return(-1);
default:
return(-1);
}
}
return(0);
}
/*
* add a DNS header
*/
static void
add_dnshdr(unsigned char *pkt)
{
struct _dnshdr *dnshdr = (struct _dnshdr *)pkt;
dnshdr->id = htons(6); /* could be random */
dnshdr->flags = htons(0x0100); /* do query recursivly */
dnshdr->num_q = htons(1);
dnshdr->num_answ_rr = 0;
dnshdr->num_auth_rr = 0;
dnshdr->num_addi_rr = 0;
/* add request here. class TXT etc */
}
/*
* add DNS-TXT header here
* returns length in *len
*/
static void
add_dnstxthdr(unsigned char *pkt, char *name, u_int *len)
{
u_short *type;
u_short *class;
if (name == NULL)
return; /* nah! specifiy "". we need \0 termination */
memcpy(pkt, name, strlen(name)+1);
type = (u_short *)(pkt + strlen(name) + 1);
class = (u_short *)(pkt + strlen(name) + 1 + sizeof(*class));
*type = htons(0x10); /* TEXT string */
*class = htons(0x03); /* chaos */
*len = strlen(name) + 1 + sizeof(*type) + sizeof(*class);
}
/*
* handle incoming DNS udp answers
*/
static int
process_rcv(struct _opt *opt)
{
struct _dnshdr *dns;
struct _dnsanswr *dnsanswr;
struct udphdr *udp;
char *ptr;
char buf[128];
int len, dnstxtlen;
uint iphdr_len = 0;
if (ip->ip_p != IPPROTO_UDP)
return(0);
iphdr_len = IP_SIZE + ip_options;
if (plen < dlt_len + iphdr_len + sizeof(*udp) + sizeof(*dns))
return(-1); /* invalid size */
dns = (struct _dnshdr *) (align_buf + iphdr_len + sizeof(*udp));
if (ntohs(dns->flags) & 0x000F) /* dns-error? query refused ? */
return(-1);
ptr = (char *) (align_buf + iphdr_len + sizeof(*udp) + sizeof(*dns));
len = dlt_len + iphdr_len + sizeof(*udp) + sizeof(*dns);
while (len++ < plen)
if (*ptr++ == '\0')
break;
if (len >= plen)
return(-1);
len += 4;
ptr += 4;
while (len++ < plen) /* skip VERSION.BIND answer string */
if (*ptr++ == '\0')
break;
len += sizeof(*dnsanswr);
if (len >= plen)
return(-1);
dnsanswr = (struct _dnsanswr *) (ptr);
dnstxtlen = ntohs(dnsanswr->len);
if (len + dnstxtlen > plen)
return(0);
if ((dnstxtlen == 0) || (dnstxtlen > 128))
return(-1);
memcpy(buf, ptr + sizeof(*dnsanswr) +1, dnstxtlen - 1);
buf[dnstxtlen - 1] = '\0';
ptr = buf; /* evil hax0rs sending messed up strings ? */
while (*++ptr != '\0')
if (!isprint((int)*ptr))
*ptr = '_';
printf("%s VERSION.BIND. \"%s\"\n", int_ntoa(ip->ip_src.s_addr), buf);
return(0);
}
|
