Monday, June 4, 2012

Defcon 20 QUALS - Grab Bag 200

We have a jpeg file and its __MACOSX AppleDouble encoded Macintosh friend:

  • 115e0ba3c3d72647fcb9a53ae90e47a6.jpg
  • __MACOSX/._115e0ba3c3d72647fcb9a53ae90e47a6.jpg

The second file tells us that the jpeg comes from http://ircimages.com/ircimages/1/1/115e0ba3c3d72647fcb9a53ae90e47a6.jpg

When diffing the original file with the gb200 one, we can note that 84 bytes were added to the end of the image:

00000000  cc ef 48 00 01 02 00 50  56 00 01 02 08 00 45 00  |..H....PV.....E.|
00000010  00 46 e0 63 00 00 40 11  84 8f 4b 94 64 05 8c c5  |.F.c..@...K.d...|
00000020  d9 55 7a 69 00 35 00 32  e1 2f 1c f7 01 00 00 01  |.Uzi.5.2./......|
00000030  00 00 00 00 00 00 02 31  33 02 31 32 02 31 31 02  |.......13.12.11.|
00000040  31 30 07 69 6e 2d 61 64  64 72 04 61 72 70 61 00  |10.in-addr.arpa.|
00000050  00 0c 00 01                                       |....|

This is in fact a DNS query packet, which can be translated as:

cc ef 48 00 01 02      CISCO mac address
00 50 56 00 01 02      VMWARE mac address
08 00                  Type: IP
45                     IP 4, header len 20
00                     Fields
00 46                  Total length: 70
e0 63                  ID
00 00                  Flags
40                     TTL
11                     Proto: UDP
84 8f                  Header checksum
4b 94 64 05            Source IP: 75.148.100.5
8c c5 d9 55            Destination IP: 140.197.217.85
7a 69                  Source port: 31337
00 35                  Destination port: 53
00 32                  Length: 50
e1 2f                  Checksum
1c f7                  Transaction ID
01 00                  Flags
00 01                  Questions: 1
00 00                  Answer RRs: 0
00 00                  Authority RRs: 0
00 00                  Additional RRs: 0
02 31 33 02 31 32 02 31 31 02 31 30 07 69 6e 2d 61 64  64 72 04 61 72 70 61 00
                       13.12.11.10.in-addr.arpa
00 0c                  Type PTR
00 01                  Class IN


We have to send a DNS request to 140.197.217.85, asking for the 10.11.12.13 PTR record, with 31337 as source port. Scapy can help us:

dnsQuery  = DNSQR(qname="13.12.11.10.in-addr.arpa", qtype="PTR")
dnsPacket = DNS(rd=1,qd=dnsQuery)
ipPacket  = IP(dst="140.197.217.85")
udpPacket = UDP(sport=31337, dport=53)
packet    = ipPacket/udpPacket/dnsPacket
dnsAnswer = sr1(packet)
dnsAnswer.summary()
'IP / UDP / DNS Ans "dan.kaminsky.kung.fu." '

No comments:

Post a Comment