/* * . . * _( (_) )_ _________ ________ * <----, / _____// _____// _____/ * <-----====\_____ \=\_____ \/ \========== RELEASE * <----' / \/ \ \_\ \ * /_______ /_______ /\______ / * /\___________\/________\/_______/ / * /_________________________________/ * * spoon.c - (ab)use dig.cgi to proxy DNS dig requests * (c) 2000 obecian * * Why spoon? Sorta a cross between spoof and a tool that can be used * to "dig" -- I happened to be watching the movie Top Secret at the * time of this writing -- so the name stuck. * * This little util was written cuz I got tired of pulling up a web * browser to bounce dig queries off the ever-so-handy dig.cgi script. * Also many hackers hunt through dns prior to using common techniqz such * as wingate to bounce further connections. However, if the victim * seldom gets traffic (hping and watch ip id's) the ip of the shell you * are using naturally will start the process of the remaining traffic. * Why give out your ip (or your hacked shell) when you don't have to. * * -- * "Do not try and bend the spoon. That's impossible. Instead, only try to * realize the truth." * "What truth?" * "There is no spoon." * "There is no spoon?" * "Then you'll see that it is not the spoon that bends, it is only yourself." * -- Little boy with spoon and Neo, "The Matrix" * */ #define TITLE "spoon - (ab)use dig.cgi to proxy DNS dig requests" #define CODER "(c) 2000 obecian " #include #include #include #include #include #include #include #include void usage(char *arg) { printf("usage: %s \n" "<-v victim> domain (eg. victim.com)\n" "[-t dns record type {any, mx, a, ns, soa}] (default: any)\n" "[-n victim's nameserver]\n" "[-p dig proxy] (default: www.ip-plus.ch)\n\n", arg); printf("eg. spoon -v victim.com > victim-dig.html;\n" " w3m victim-dig.html (or lynx or netscape)\n\n"); exit(-1); } int main(int argc, char **argv) { int opt; extern char *optarg; extern int opterr; int i; int sock; struct sockaddr_in sin; struct hostent *he; char buffer[1024]; char *victim; char *ns_type = "any"; char *nameserver = ""; char *proxy = "www.ip-plus.ch"; if (argc < 2) { putchar('\n'); puts(TITLE); puts(CODER); putchar('\n'); usage(argv[0]); } putchar('\n'); puts(TITLE); puts(CODER); putchar('\n'); opterr = 0; while ((opt = getopt(argc, argv, "v:t:n:p:")) != EOF) { switch (opt) { case 'v': victim = optarg; break; case 't': ns_type = optarg; break; case 'n': nameserver = optarg; break; case 'p': /* use the default unless you know a uniq dig proxy */ proxy = optarg; break; case '?': usage(argv[0]); break; } } if ((he = gethostbyname(proxy)) == NULL) { herror("gethostbyname"); exit(-1); } if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(-1); } sin.sin_family = AF_INET; sin.sin_port = htons(80); sin.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(sin.sin_zero), 8); printf("-=- Connecting to DIG proxy... "); if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("connect"); exit(-1); } printf("Connected!\n"); snprintf(buffer, sizeof(buffer), "GET /cgi-bin/dig.cgi?action=process&domain=%s&type=%s&atserver=%s HTTP/1.0\r\nHost: ww w.ip-plus.ch\r\nReferer: http://%s/cgi-bin/dig.cgi\r\nUser-Agent: spoon-SSG/31337\r\n\r\n", victim, ns_type, nameserver, proxy); printf("-=- Throwing request at %s... ", proxy); if ((write(sock, buffer, sizeof(buffer)))<0) { perror("write"); exit(-1); } printf("Caught!\n\n"); bzero(&buffer, sizeof(buffer)); while((i=read(sock, buffer, sizeof(buffer)))!=0) write(1, buffer, i); close(sock); exit(0); } /* www.hack.co.za [2000]*/