[TOOL] Detect BIND Version without Banner Information

• Previous message: SecuriTeam: "[EXPL] Buffer Overflow In eXchange POP3 (MAIL FROM)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 21 Apr 2004 19:05:46 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Detect BIND Version without Banner Information
------------------------------------------------------------------------

SUMMARY

DETAILS

The tool presented below detects the version of ISC bind 8+9 by using
protocol header information, thus it works even if the version has been
disguised.

/*
 * THC/2004
 *
 * This is just a quick and dirty hack to grab the Version of ISC bind 8+9
 * nameservers. It detects the difference between bind 8+9 even if the
version
 * has been disguised.
 * The code is 2 years old and i never shared it before, but as we
 * opened a tool section now, i think it's worth to share it to the
public.
 *
 * COMPILE (with Microsoft C++):
 * cl THCbindinfo.c
 *
 * RUN:
 * C:\ccode\THCbindinfo>THCbindinfo.exe 10.65.57.153
 *
 * ----------------------------------------
 * DNS Version Query for BIND 8+9 Servers
 * coding jcyberpunk@thc.org
 * ----------------------------------------
 *
 * Query for : 10.65.57.153 in progress...pleaze wait!
 *
 * ahh...that must be a bind 8...trying to get more details...
 *
 * DNS Version : BIND 8.3.4
 *
 * Enjoy,
 *
 * http://www.thc.org
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <winsock2.h>

#define TIMEOUT 5
#define errno WSAGetLastError()

#define STATUS_FAILED 0xFFFF

#pragma comment(lib, "ws2_32.lib")

void usage();

main(int argc,char **argv)
{
  struct sockaddr_in myudp;
  struct hostent * hp;
  SOCKET udpsock;
  unsigned short port=53;
  unsigned int addr=0;
  fd_set r;
  struct timeval mytimeout;

  char data[30]=
{0x00,0x06,0x01,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x07,0x76,0x65, 0x72,0x73,0x69,0x6f,0x6e,0x04,0x62,0x69,0x6e,0x64,0x00,0x00,0x10,0x00,0x03};
  unsigned char *dataout;
  unsigned int error, open;

  WSADATA wsaData;

  printf("\n----------------------------------------\n");
  printf("DNS Version Query for BIND 8+9 Servers\n");
  printf(" coding jcyberpunk@thc.org\n");
  printf("----------------------------------------\n\n");

  if(argc != 2)
  {
   usage();
   exit(-1);
  }

  if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
  {
   fprintf(stderr,"WSAStartup failed: %d\n",GetLastError());
   ExitProcess(STATUS_FAILED);
  }

  memset(&myudp,0,sizeof(myudp));

  hp = gethostbyname(argv[1]);

  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) )
  {
   fprintf(stderr,"Unable to resolve %s\n",argv[1]);
   ExitProcess(STATUS_FAILED);
  }

  if (hp != NULL)
   memcpy(&(myudp.sin_addr),hp->h_addr,hp->h_length);
  else
   myudp.sin_addr.s_addr = addr;

  if (hp)
   myudp.sin_family = hp->h_addrtype;
  else
   myudp.sin_family = AF_INET;

  printf("Query for : %s in progress...pleaze
wait!\n\n",inet_ntoa(myudp.sin_addr));
 
  dataout=(char*)malloc(100);
  memset(dataout,0,sizeof(*dataout));

  mytimeout.tv_sec = TIMEOUT;
  mytimeout.tv_usec = 0;

   myudp.sin_port = htons(port);

   if ((udpsock = socket (PF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
   {
     printf("error binding socket!\n");
  exit(0);
   }

   if (connect (udpsock, (struct sockaddr *) &myudp, sizeof (
         struct sockaddr_in)) == 0)
   {

      FD_ZERO (&r);
      FD_SET (udpsock, &r);
   mytimeout.tv_sec = TIMEOUT;
   mytimeout.tv_usec = 0;

      send (udpsock, data, sizeof data, 0);
   error = select ((udpsock + 1), &r, NULL, NULL, &mytimeout);

     if (error==0)
     {
      printf("Port 53 udp is up, but i haven't received data within 5
seconds.\n");
      printf("it seems that this is not a bind 8 or 9 ! :(\n");
      exit(-1);
     }
     if (error==-1)
     {
        printf("select error : %d\n",errno);
        exit(-1);
     }
      open = recv(udpsock, dataout, 100, 0);
      if (open==-1)
   {
     printf("sorry, no nameserver running :(\n");
  exit(-1);
   }

   dataout[open]=0;
      if ((dataout[3]&127)==0)
   {
   if(dataout[30]==192)
   {
    printf ("ahh...that must be a bind 9...trying to get more
details...\n\n");
    printf ("DNS Version : %s\n",dataout+43);
   }
   else
   {
    printf ("ahh...that must be a bind 8...trying to get more
details...\n\n");
          printf("DNS Version : %s\n",dataout+55);
   }
   }
      else
         printf("DNS Version : unknown\n");

    shutdown(udpsock,1);
    closesocket(udpsock);
   }
   
   else
    printf("connect () error : %d\n",errno);

   free(dataout);

  exit(0);
}

void usage()
{
 printf("Gimme <Hostname|IP-Address>\n");
 exit(-1);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:jcyberpunk@thc.org> Johnny
Cyberpunk.

The tool's web page is located at:
<http://www.thc.org/root/tools/THCbindinfo.c>
http://www.thc.org/root/tools/THCbindinfo.c

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Buffer Overflow In eXchange POP3 (MAIL FROM)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]