…and I couldn’t be happier. I’m going to start writing “weaponized code” instead of “exploits”. This will totally make up for having to give up “reverse-engineering” for “deep analysis” for “legal reasons” .
However you feel about people publishing exploits for the DNS flaw already, there’s a selection of them out there now, and you might as well have a look at the code if you’re a penetration tester. Now, I’m going to give out some links to these, so if you happen to be a blackhat that relies only on this site for your exploit needs, I’m going to have to ask you to go ahead and close your browser:
- I)ruid and H D Moore’s metasploit module (and in the context of the trunk version of metasploit) – This one’s pretty nice. Like a good metasploit module, it has functionality built in to test a server for vulnerability. It can’t spoof if there’s already a cached entry for the domain you’re trying to spoof, however it is smart enough to check for this ahead of time and sleep until it can try again. This one also randomizes the domain names it’s using while it tries to guess the transaction ID.
- Julien Desfossez’s standalone exploit – Less frills than the metasploit modules, but it gets points for being written in python with the excellent Scapy . From the code, it looks like the domain names it’s using while guessing the transaction ID are pretty predictable: a3.victim.com, a4.victim.com, a5.victim.com, etc. etc. etc.
I’ll talk about other exploits when I see them, if I think they’re interesting. I’m honestly surprised it’s taken as long as it has for exploits to come out, as it’s a pretty easy vulnerability to wrap your head around, and pretty straightfoward to generate the packets.
This’ll give you something to play with in the lab whilethe Internet crumbles around you.
I guarantee that |)ruid/hdm’s exploit was not the first. Who would you prefer poisons your cache: discreet pros or kiddies with metasploit?