-
-
Save llccd/1d19a5d859700366c8941eca5b0fadd6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ipv6 | |
38,40 0 0 40,21 0 35 53,32 0 0 52,21 0 33 65537,40 0 0 0,84 0 0 65520,21 0 30 24576,32 0 0 56,21 0 5 1,40 0 0 50,21 0 26 33792,40 0 0 44,20 0 0 11,5 0 0 2,21 0 22 0,40 0 0 44,7 0 0 0,64 0 0 24,21 6 0 704850048,21 13 0 3222011905,21 0 16 536936448,64 0 0 28,21 0 14 0,64 0 0 32,21 11 12 0,64 0 0 32,21 0 10 4207849484,64 0 0 36,21 0 8 9694,64 0 0 18,37 6 0 255,53 0 5 64,6 0 0 1,64 0 0 30,37 2 0 255,53 0 1 64,6 0 0 1,6 0 0 0 | |
ldh [40] | |
jne #53, fail ;sport 53 | |
;Currently every ipv6 fake packet contains 1 QUERY, 1 ANSWER | |
ld [52] | |
jne #0x10001, fail ;1 QUERY, 1 ANSWER | |
ldh [0] | |
and #0xfff0 | |
jne #0x6000, fail | |
ld [56] | |
jne #0x1, nauth ;0 AUTHORITY, 1 ADDITIONAL | |
;Check fake packet contains 1 ADDITIONAL record with dns.flags=8400 | |
ldh [50] | |
jne #0x8400, fail | |
ldh [44] | |
sub #11 | |
jmp chkresp | |
;Fake packet normally contains 1 QUERY, 1 ANSWER, 0 AUTHORITY, 0 ADDITIONAL | |
nauth: | |
jne #0x0, fail ;0 AUTHORITY, 0 ADDITIONAL | |
ldh [44] | |
chkresp: | |
tax | |
ld [x + 24] | |
jeq #0x2a032880, facebook | |
jeq #0xc00c0001, chkttlA | |
jne #0x20010000, fail | |
ld [x + 28] | |
jne #0x0, fail | |
ld [x + 32] | |
jeq #0x0, success, fail | |
facebook: | |
ld [x + 32] | |
jne #0xfaceb00c, fail | |
ld [x + 36] | |
jne #0x000025de, fail | |
ld [x + 18] | |
jgt #0xff, fail | |
jlt #0x40, fail | |
ret #1 | |
chkttlA: | |
ld [x + 30] | |
jgt #0xff, fail | |
jlt #0x40, fail | |
success: | |
ret #1 | |
fail: | |
ret #0 | |
ipv4 | |
55,40 0 0 20,21 0 52 53,32 0 0 36,21 0 7 1,40 0 0 30,21 0 48 33792,32 0 0 32,21 0 46 65537,40 0 0 24,20 0 0 11,5 0 0 10,21 0 42 0,32 0 0 32,21 3 0 65537,21 0 39 65536,40 0 0 30,21 23 37 33152,40 0 0 30,84 0 0 65487,21 25 0 34176,40 0 0 24,7 0 0 0,64 0 0 4,21 6 0 704850048,21 12 0 3222011905,21 0 28 536936448,64 0 0 8,21 0 26 0,64 0 0 12,21 10 24 0,64 0 0 4294967294,37 22 0 255,53 0 21 64,64 0 0 12,21 0 19 4207849484,64 0 0 16,21 3 17 9694,64 0 0 10,37 15 0 255,53 0 14 64,32 0 0 4,21 11 0 0,21 11 0 16384,84 0 0 65535,21 8 9 16384,40 0 0 6,21 0 7 0,40 0 0 24,7 0 0 0,64 0 0 6,21 0 3 65537,64 0 0 10,21 0 1 60,6 0 0 1,6 0 0 0 | |
ldh [20] | |
jne #53, fail ;sport 53 | |
ld [36] | |
jne #0x1, normal ;0 AUTHORITY, 1 ADDITIONAL | |
;Check fake packet contains 1 ADDITIONAL record with dns.flags=8400 | |
ldh [30] | |
jne #0x8400, fail | |
ld [32] | |
jne #0x10001, fail ;1 QUERY, 1 ANSWER | |
ldh [24] | |
sub #11 | |
jmp chkresp | |
;Fake packet normally contains 1 QUERY, 1 ANSWER, 0 AUTHORITY, 0 ADDITIONAL | |
normal: | |
jne #0x0, fail | |
ld [32] | |
jeq #0x10001, dnsdrop ;1 QUERY, 1 ANSWER | |
;Check fake packet contains 0 ANSWER with dns.flags=8180 | |
jne #0x10000, fail ;1 QUERY, 0 ANSWER | |
ldh [30] | |
jeq #0x8180, idflag, fail | |
dnsdrop: | |
ldh [30] | |
;Fake packet with dns.flags=8580/85b0 dns.resp.ttl=60 dns.resp.type=A | |
and #0xffcf | |
jeq #0x8580, auth | |
ldh [24] | |
chkresp: | |
tax | |
ld [x + 4] | |
jeq #0x2a032880, facebook | |
jeq #0xc00c0001, chkttlA | |
jne #0x20010000, fail | |
ld [x + 8] | |
jne #0x0, fail | |
ld [x + 12] | |
jeq #0x0, idflag, fail | |
facebook: | |
ld [x + -2] | |
jgt #0xff, fail | |
jlt #0x40, fail | |
ld [x + 12] | |
jne #0xfaceb00c, fail | |
ld [x + 16] | |
jeq #0x000025de, idflag, fail | |
chkttlA: | |
ld [x + 10] | |
jgt #0xff, fail | |
jlt #0x40, fail | |
idflag: | |
ld [4] | |
jeq #0x0, success | |
jeq #0x4000, fail | |
and #0xffff | |
jeq #0x4000, success, fail | |
auth: | |
ldh [6] | |
jne #0x0, fail | |
ldh [24] | |
tax | |
ld [x + 6] | |
jne #0x10001, fail | |
ld [x + 10] | |
jne #60, fail ;dns ttl 60 | |
success: | |
ret #1 | |
fail: | |
ret #0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
aa