Skip to content

Instantly share code, notes, and snippets.

@llccd

llccd/dnsdrop Secret

Last active May 5, 2024 13:30
Show Gist options
  • Star 55 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
  • Save llccd/1d19a5d859700366c8941eca5b0fadd6 to your computer and use it in GitHub Desktop.
Save llccd/1d19a5d859700366c8941eca5b0fadd6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dnsdrop
ipv6
38,40 0 0 40,21 0 35 53,32 0 0 52,21 0 33 65537,40 0 0 0,84 0 0 65520,21 0 30 24576,32 0 0 56,21 0 5 1,40 0 0 50,21 0 26 33792,40 0 0 44,20 0 0 11,5 0 0 2,21 0 22 0,40 0 0 44,7 0 0 0,64 0 0 24,21 6 0 704850048,21 13 0 3222011905,21 0 16 536936448,64 0 0 28,21 0 14 0,64 0 0 32,21 11 12 0,64 0 0 32,21 0 10 4207849484,64 0 0 36,21 0 8 9694,64 0 0 18,37 6 0 255,53 0 5 64,6 0 0 1,64 0 0 30,37 2 0 255,53 0 1 64,6 0 0 1,6 0 0 0
ldh [40]
jne #53, fail ;sport 53
;Currently every ipv6 fake packet contains 1 QUERY, 1 ANSWER
ld [52]
jne #0x10001, fail ;1 QUERY, 1 ANSWER
ldh [0]
and #0xfff0
jne #0x6000, fail
ld [56]
jne #0x1, nauth ;0 AUTHORITY, 1 ADDITIONAL
;Check fake packet contains 1 ADDITIONAL record with dns.flags=8400
ldh [50]
jne #0x8400, fail
ldh [44]
sub #11
jmp chkresp
;Fake packet normally contains 1 QUERY, 1 ANSWER, 0 AUTHORITY, 0 ADDITIONAL
nauth:
jne #0x0, fail ;0 AUTHORITY, 0 ADDITIONAL
ldh [44]
chkresp:
tax
ld [x + 24]
jeq #0x2a032880, facebook
jeq #0xc00c0001, chkttlA
jne #0x20010000, fail
ld [x + 28]
jne #0x0, fail
ld [x + 32]
jeq #0x0, success, fail
facebook:
ld [x + 32]
jne #0xfaceb00c, fail
ld [x + 36]
jne #0x000025de, fail
ld [x + 18]
jgt #0xff, fail
jlt #0x40, fail
ret #1
chkttlA:
ld [x + 30]
jgt #0xff, fail
jlt #0x40, fail
success:
ret #1
fail:
ret #0
ipv4
55,40 0 0 20,21 0 52 53,32 0 0 36,21 0 7 1,40 0 0 30,21 0 48 33792,32 0 0 32,21 0 46 65537,40 0 0 24,20 0 0 11,5 0 0 10,21 0 42 0,32 0 0 32,21 3 0 65537,21 0 39 65536,40 0 0 30,21 23 37 33152,40 0 0 30,84 0 0 65487,21 25 0 34176,40 0 0 24,7 0 0 0,64 0 0 4,21 6 0 704850048,21 12 0 3222011905,21 0 28 536936448,64 0 0 8,21 0 26 0,64 0 0 12,21 10 24 0,64 0 0 4294967294,37 22 0 255,53 0 21 64,64 0 0 12,21 0 19 4207849484,64 0 0 16,21 3 17 9694,64 0 0 10,37 15 0 255,53 0 14 64,32 0 0 4,21 11 0 0,21 11 0 16384,84 0 0 65535,21 8 9 16384,40 0 0 6,21 0 7 0,40 0 0 24,7 0 0 0,64 0 0 6,21 0 3 65537,64 0 0 10,21 0 1 60,6 0 0 1,6 0 0 0
ldh [20]
jne #53, fail ;sport 53
ld [36]
jne #0x1, normal ;0 AUTHORITY, 1 ADDITIONAL
;Check fake packet contains 1 ADDITIONAL record with dns.flags=8400
ldh [30]
jne #0x8400, fail
ld [32]
jne #0x10001, fail ;1 QUERY, 1 ANSWER
ldh [24]
sub #11
jmp chkresp
;Fake packet normally contains 1 QUERY, 1 ANSWER, 0 AUTHORITY, 0 ADDITIONAL
normal:
jne #0x0, fail
ld [32]
jeq #0x10001, dnsdrop ;1 QUERY, 1 ANSWER
;Check fake packet contains 0 ANSWER with dns.flags=8180
jne #0x10000, fail ;1 QUERY, 0 ANSWER
ldh [30]
jeq #0x8180, idflag, fail
dnsdrop:
ldh [30]
;Fake packet with dns.flags=8580/85b0 dns.resp.ttl=60 dns.resp.type=A
and #0xffcf
jeq #0x8580, auth
ldh [24]
chkresp:
tax
ld [x + 4]
jeq #0x2a032880, facebook
jeq #0xc00c0001, chkttlA
jne #0x20010000, fail
ld [x + 8]
jne #0x0, fail
ld [x + 12]
jeq #0x0, idflag, fail
facebook:
ld [x + -2]
jgt #0xff, fail
jlt #0x40, fail
ld [x + 12]
jne #0xfaceb00c, fail
ld [x + 16]
jeq #0x000025de, idflag, fail
chkttlA:
ld [x + 10]
jgt #0xff, fail
jlt #0x40, fail
idflag:
ld [4]
jeq #0x0, success
jeq #0x4000, fail
and #0xffff
jeq #0x4000, success, fail
auth:
ldh [6]
jne #0x0, fail
ldh [24]
tax
ld [x + 6]
jne #0x10001, fail
ld [x + 10]
jne #60, fail ;dns ttl 60
success:
ret #1
fail:
ret #0
@jiachengll
Copy link

aa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment