I probably spent a good hour and a half looking at the binary trying to see if something is exploitable (good job!) before I managed to figure out the DNS request part. I only managed to find two bugs:
- You could remove the null terminator on the IP address by writing an address of exactly 16 bytes (eg "1111111111111111")
- If you made the Source, Dest, and netmask all 16 bytes, and the Nameserver 3, the renew_client would print an error. This was due to the snprintf before the system being truncated.
I did learn an important lesson. If there's an opportunity to put a hostname or ip somewhere PUT IN AN IP YOU CONTROL
I ended up using dnsmasq for dns as I had a server that wasn't running dns. I'll have to take a look at minidns for next time. I ended up using python's SimpleHTTPServer:
python -m SimpleHTTPServer 80
And a real simple HTTPs server I found on the web
import BaseHTTPServer, SimpleHTTPServer import ssl httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever()