Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-5477 PoC — ISC BIND 拒绝服务漏洞

Source
https://github.com/hmlio/vaas-cve-2015-5477
Associated Vulnerability
Title:ISC BIND 拒绝服务漏洞 (CVE-2015-5477)
Description:ISC BIND是美国Internet Systems Consortium(ISC)公司所维护的一套实现了DNS协议的开源软件。 ISC BIND 9.9.7-P1及之前版本和9.10.2-P2及之前版本的named中存在安全漏洞。远程攻击者可借助TKEY查询利用该漏洞造成拒绝服务(REQUIRE断言失败和守护进程退出)。
Description
Vulnerability as a service: showcasing CVS-2015-5447, a DDoS condition in the bind9 software
Readme
# Vulnerability as a Service - CVE 2015-5477
A Debian (Wheezy) Linux system with a vulnerable version of bind9 to showcase CVS-2015-5477.

# Overview
This docker container is based on Debian Wheezy and has been modified to use a vulernable version of bind9 and the matching additional dependencies.

# Usage
Get the container with `docker pull hmlio/vaas-cve-2015-5477`.

Run the container with a port mapping (for the maximum "Dude! This sucks!" effect I recommend starting the container without detaching it as a background process):
`docker run -p 53:53/udp hmlio/vaas-cve-2015-5477`

You should be able to do DNS queries via the container:
`dig @<your-ip> hml.io any`

# Exploitation
At the time of this writing, a proof of concept exploit is available <a href="https://packetstormsecurity.com/files/132926/BIND-TKEY-Query-Denial-Of-Service.html" target="_blank">here</a>.

From another terminal windows fire up the exploit like so:
`python exploit.py <your-ip>`

Change back to the original terminal window where you started the container in the foreground and you should see someting similar to this:

``` sh
04-Aug-2015 20:47:14.841 createfetch: hml.io DS
04-Aug-2015 20:47:14.886 createfetch: de DNSKEY
04-Aug-2015 20:48:54.130 message.c:2311: REQUIRE(*name == ((void *)0)) failed, back trace
04-Aug-2015 20:48:54.130 #0 0x7fa696e2fdd9 in ??
04-Aug-2015 20:48:54.130 #1 0x7fa695770f3a in ??
04-Aug-2015 20:48:54.130 #2 0x7fa69669806f in ??
04-Aug-2015 20:48:54.130 #3 0x7fa696723bd9 in ??
04-Aug-2015 20:48:54.130 #4 0x7fa696e40615 in ??
04-Aug-2015 20:48:54.130 #5 0x7fa696e26e71 in ??
04-Aug-2015 20:48:54.130 #6 0x7fa69578fe1d in ??
04-Aug-2015 20:48:54.130 #7 0x7fa695143b50 in ??
04-Aug-2015 20:48:54.130 #8 0x7fa694b2d95d in ??
04-Aug-2015 20:48:54.130 exiting (due to assertion failure)
Aborted (core dumped)
 failed!
```
File Snapshot

 [4.0K]  /data/pocs/8fa26f1a25ebae413774a54f2ef6ea56d8aa864f
├── [3.0K]  Dockerfile
├── [ 18K]  LICENSE.md
└── [1.8K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.