Skip to content

Instantly share code, notes, and snippets.

@llccd

llccd/dnsdrop Secret

Last active January 23, 2023 16:35
Embed
What would you like to do?
ipv6
29,40 0 0 40,21 0 26 53,32 0 0 52,21 0 24 65537,40 0 0 0,84 0 0 65520,21 0 21 24576,32 0 0 56,21 0 5 1,40 0 0 50,21 0 17 33792,40 0 0 44,20 0 0 11,5 0 0 2,21 0 13 0,40 0 0 44,7 0 0 0,64 0 0 24,21 5 0 3222011905,21 0 8 536936448,64 0 0 28,21 0 6 0,64 0 0 32,21 3 4 0,64 0 0 30,37 2 0 255,53 0 1 64,6 0 0 1,6 0 0 0
ldh [40]
jne #53, fail ;sport 53
;Currently every ipv6 fake packet contains 1 QUERY, 1 ANSWER
ld [52]
jne #0x10001, fail ;1 QUERY, 1 ANSWER
ldh [0]
and #0xfff0
jne #0x6000, fail
ld [56]
jne #0x1, nauth ;0 AUTHORITY, 1 ADDITIONAL
;Check fake packet contains 1 ADDITIONAL record with dns.flags=8400
ldh [50]
jne #0x8400, fail
ldh [44]
sub #11
jmp chkresp
;Fake packet normally contains 1 QUERY, 1 ANSWER, 0 AUTHORITY, 0 ADDITIONAL
nauth:
jne #0x0, fail ;0 AUTHORITY, 0 ADDITIONAL
ldh [44]
chkresp:
tax
ld [x + 24]
jeq #0xc00c0001, chkttl
jne #0x20010000, fail
ld [x + 28]
jne #0x0, fail
ld [x + 32]
jeq #0x0, success, fail
chkttl:
ld [x + 30]
jgt #0xff, fail
jlt #0x40, fail
success:
ret #1
fail:
ret #0
ipv4
47,40 0 0 20,21 0 44 53,32 0 0 36,21 0 7 1,40 0 0 30,21 0 40 33792,32 0 0 32,21 0 38 65537,40 0 0 24,20 0 0 11,5 0 0 10,21 0 34 0,32 0 0 32,21 3 0 65537,21 0 31 65536,40 0 0 30,21 15 29 33152,40 0 0 30,84 0 0 65487,21 17 0 34176,40 0 0 24,7 0 0 0,64 0 0 4,21 5 0 3222011905,21 0 21 536936448,64 0 0 8,21 0 19 0,64 0 0 12,21 3 17 0,64 0 0 10,37 15 0 255,53 0 14 64,32 0 0 4,21 11 0 0,21 11 0 16384,84 0 0 65535,21 8 9 16384,40 0 0 6,21 0 7 0,40 0 0 24,7 0 0 0,64 0 0 6,21 0 3 65537,64 0 0 10,21 0 1 60,6 0 0 1,6 0 0 0
ldh [20]
jne #53, fail ;sport 53
ld [36]
jne #0x1, normal ;0 AUTHORITY, 1 ADDITIONAL
;Check fake packet contains 1 ADDITIONAL record with dns.flags=8400
ldh [30]
jne #0x8400, fail
ld [32]
jne #0x10001, fail ;1 QUERY, 1 ANSWER
ldh [24]
sub #11
jmp chkresp
;Fake packet normally contains 1 QUERY, 1 ANSWER, 0 AUTHORITY, 0 ADDITIONAL
normal:
jne #0x0, fail
ld [32]
jeq #0x10001, dnsdrop ;1 QUERY, 1 ANSWER
;Check fake packet contains 0 ANSWER with dns.flags=8180
jne #0x10000, fail ;1 QUERY, 0 ANSWER
ldh [30]
jeq #0x8180, idflag, fail
dnsdrop:
ldh [30]
;Fake packet with dns.flags=8580/85b0 dns.resp.ttl=60 dns.resp.type=A
and #0xffcf
jeq #0x8580, auth
ldh [24]
chkresp:
tax
ld [x + 4]
jeq #0xc00c0001, chkttl
jne #0x20010000, fail
ld [x + 8]
jne #0x0, fail
ld [x + 12]
jeq #0x0, idflag, fail
chkttl:
ld [x + 10]
jgt #0xff, fail
jlt #0x40, fail
idflag:
ld [4]
jeq #0x0, success
jeq #0x4000, fail
and #0xffff
jeq #0x4000, success, fail
auth:
ldh [6]
jne #0x0, fail
ldh [24]
tax
ld [x + 6]
jne #0x10001, fail
ld [x + 10]
jne #60, fail ;dns ttl 60
success:
ret #1
fail:
ret #0
@jiachengll
Copy link

aa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment