control ntp and dns queries too

Author: BoLaMN

package.json

@@ -1,6 +1,6 @@
 {
   "name": "tch-exploit",
-  "version": "2.0.0-b7",
+  "version": "2.0.0-rc1",
   "main": "dist/index.js",
   "bin": "dist/index.js",
   "scripts": {

src/dns.coffee

@@ -0,0 +1,305 @@
+{ EventEmitter } = require'events'
+{ createSocket } = require('dgram')
+{ isIPv6 } = require('net')
+
+dns = require('dns')
+
+bitSlice = (b, offset, length) ->
+  b >>> 7 - (offset + length - 1) & ~(0xff << length)
+
+bufferify = (ip) ->
+  if isIPv6 ip
+    bufferifyV6 ip
+  else bufferifyV4 ip
+
+bufferifyV4 = (ip) ->
+  ip = ip.split('.').map (n) -> parseInt n, 10
+
+  result = 0
+  base = 1
+
+  i = ip.length - 1
+
+  while i >= 0
+    result += ip[i] * base
+    base *= 256
+    i--
+
+  buf = Buffer.alloc(4)
+  buf.writeUInt32BE result
+  buf
+
+bufferifyV6 = (rawIp) ->
+
+  countColons = (x) ->
+    n = 0
+    x.replace /:/g, (c) -> n++
+    n
+
+  ip = rawIp.replace(/\/\d{1,3}(?=%|$)/, '').replace(/%.*$/, '')
+
+  hexIp = ip
+    .replace /::/, (two) -> ':' + Array(7 - countColons(ip) + 1).join(':') + ':'
+    .split ':'
+    .map (x) -> Array(4 - (x.length)).fill('0').join('') + x
+    .join('')
+
+  Buffer.from hexIp, 'hex'
+
+domainify = (qname) ->
+  parts = []
+
+  i = 0
+
+  while i < qname.length and qname[i]
+    length = qname[i]
+    offset = i + 1
+    parts.push qname.slice(offset, offset + length).toString()
+
+    i = offset + length
+
+  parts.join '.'
+
+qnameify = (domain) ->
+  qname = Buffer.alloc(domain.length + 2)
+  offset = 0
+
+  domain = domain.split('.')
+
+  i = 0
+
+  while i < domain.length
+    qname[offset] = domain[i].length
+    qname.write domain[i], offset + 1, domain[i].length, 'ascii'
+
+    offset += qname[offset] + 1
+    i++
+
+  qname[qname.length - 1] = 0
+  qname
+
+functionify = (val) ->
+  (addr, callback) ->
+    callback null, val
+
+parse = (buf) ->
+  header = {}
+  question = {}
+
+  b = buf.slice(2, 3).toString('binary', 0, 1).charCodeAt(0)
+
+  header.id = buf.slice(0, 2)
+  header.qr = bitSlice(b, 0, 1)
+  header.opcode = bitSlice(b, 1, 4)
+  header.aa = bitSlice(b, 5, 1)
+  header.tc = bitSlice(b, 6, 1)
+  header.rd = bitSlice(b, 7, 1)
+
+  b = buf.slice(3, 4).toString('binary', 0, 1).charCodeAt(0)
+
+  header.ra = bitSlice(b, 0, 1)
+  header.z = bitSlice(b, 1, 3)
+  header.rcode = bitSlice(b, 4, 4)
+  header.qdcount = buf.slice(4, 6)
+  header.ancount = buf.slice(6, 8)
+  header.nscount = buf.slice(8, 10)
+  header.arcount = buf.slice(10, 12)
+
+  question.qname = buf.slice(12, buf.length - 4)
+  question.qtype = buf.slice(buf.length - 4, buf.length - 2)
+  question.qclass = buf.slice(buf.length - 2, buf.length)
+
+  { header, question }
+
+responseBuffer = (query) ->
+  question = query.question
+  header = query.header
+  qname = question.qname
+
+  offset = 16 + qname.length
+
+  length = offset
+  i = 0
+
+  while i < query.rr.length
+    length += query.rr[i].qname.length + 10
+    i++
+
+  buf = Buffer.alloc(length)
+
+  header.id.copy buf, 0, 0, 2
+
+  buf[2] = 0x00 | header.qr << 7 | header.opcode << 3 | header.aa << 2 | header.tc << 1 | header.rd
+  buf[3] = 0x00 | header.ra << 7 | header.z << 4 | header.rcode
+
+  buf.writeUInt16BE header.qdcount, 4
+  buf.writeUInt16BE header.ancount, 6
+  buf.writeUInt16BE header.nscount, 8
+  buf.writeUInt16BE header.arcount, 10
+
+  qname.copy buf, 12
+
+  question.qtype.copy buf, 12 + qname.length, question.qtype, 2
+  question.qclass.copy buf, 12 + qname.length + 2, question.qclass, 2
+
+  i = 0
+
+  while i < query.rr.length
+    rr = query.rr[i]
+    rr.qname.copy buf, offset
+    offset += rr.qname.length
+    buf.writeUInt16BE rr.qtype, offset
+    buf.writeUInt16BE rr.qclass, offset + 2
+    buf.writeUInt32BE rr.ttl, offset + 4
+    buf.writeUInt16BE rr.rdlength, offset + 8
+    buf = Buffer.concat([
+      buf
+      rr.rdata
+    ])
+    offset += 14
+    i++
+  buf
+
+response = (query, ttl, to) ->
+  response = {}
+
+  header = response.header = {}
+  question = response.question = {}
+  rrs = resolve(query.question.qname, ttl, to)
+
+  header.id = query.header.id
+  header.ancount = rrs.length
+  header.qr = 1
+  header.opcode = 0
+  header.aa = 0
+  header.tc = 0
+  header.rd = 1
+  header.ra = 0
+  header.z = 0
+  header.rcode = 0
+  header.qdcount = 1
+  header.nscount = 0
+  header.arcount = 0
+
+  question.qname = query.question.qname
+  question.qtype = query.question.qtype
+  question.qclass = query.question.qclass
+
+  response.rr = rrs
+
+  responseBuffer response
+
+resolve = (qname, ttl, to) ->
+  r = {}
+  r.qname = qname
+  r.qtype = if to.length == 4 then 1 else 28
+
+  r.qclass = 1
+  r.ttl = ttl
+  r.rdlength = to.length
+  r.rdata = to
+
+  [ r ]
+
+lookup = (addr, callback) ->
+  if net.isIP(addr)
+    return callback(null, addr)
+
+  dns.lookup addr, callback
+
+class Server extends EventEmitter
+  constructor: (proxy = '8.8.8.8') ->
+    super
+
+    @_socket = createSocket if isIPv6(proxy) then 'udp6' else 'udp4'
+
+    routes = []
+
+    @_socket.on 'message', (message, rinfo) =>
+      query = parse message
+      domain = domainify query.question.qname
+
+      routeData = { domain, rinfo }
+
+      @emit 'resolve', routeData
+
+      respond = (buf) =>
+        @_socket.send buf, 0, buf.length, rinfo.port, rinfo.address
+
+      onerror = (err) =>
+        @emit 'error', err
+
+      onproxy = ->
+        sock = createSocket if isIPv6(proxy) then 'udp6' else 'udp4'
+        sock.send message, 0, message.length, 53, proxy
+
+        sock.on 'error', onerror
+
+        sock.on 'message', (response) ->
+          respond response
+          sock.close()
+
+      i = 0
+
+      while i < routes.length
+        if routes[i].pattern.test(domain)
+          route = routes[i].route
+          break
+        i++
+
+      if not route
+        return onproxy()
+
+      route routeData, (err, to) =>
+        if typeof to == 'string'
+          toIp = to
+          ttl = 1
+        else
+          toIp = to.ip
+          ttl = to.ttl
+
+        if err
+          return onerror(err)
+
+        if !toIp
+          return onproxy()
+
+        lookup toIp, (err, addr) =>
+          if err
+            return onerror(err)
+
+          @emit 'route', domain, addr
+
+          respond response(query, ttl, bufferify(addr))
+
+  route: (pattern, route) ->
+    if Array.isArray pattern
+      pattern.forEach (item) =>
+        @route item, route
+
+      return @
+
+    if typeof pattern == 'function'
+      return @route('*', pattern)
+
+    if typeof route == 'string'
+      return @route(pattern, functionify(route))
+
+    pattern = if pattern is '*'
+      /.?/
+    else
+      new RegExp('^' + pattern.replace(/\./g, '\\.').replace(/\*\\\./g, '(.+)\\.') + '$', 'i')
+
+    routes.push { pattern, route }
+
+    @
+
+  listen: (port) ->
+    @@_socket.bind port or 53
+
+    @
+
+  close: (callback) ->
+    @@_socket.close callback
+
+    @

src/ntp/index.coffee

@@ -0,0 +1,73 @@
+'use strict'
+
+Packet = require './packet'
+
+{ createSocket } = require 'dgram'
+{ EventEmitter } = require 'events'
+
+class NTP extends EventEmitter
+
+  constructor: (options, callback) ->
+    if typeof options is 'function'
+      callback = options
+      options = {}
+
+    Object.assign @, {
+      server: 'pool.ntp.org'
+      port: 123
+    }, options
+
+    @socket = new createSocket 'udp4'
+
+    if typeof callback is 'function'
+      @time callback
+
+  time: (callback) ->
+    { server, port, timeout } = @
+
+    packet = NTP.createPacket()
+
+    @socket.send packet, 0, packet.length, port, server, (err) =>
+      if err
+        return callback err
+
+      @socket.once 'message', (data) ->
+        @socket.close()
+
+        message = NTP.parse(data)
+
+        callback err, message
+
+    @
+
+  @time: (options, callback) ->
+    new NTP(options, callback)
+
+  @createPacket: ->
+    packet = new Packet
+    packet.mode = Packet.MODES.CLIENT
+    packet.originateTimestamp = Date.now()
+    packet.toBuffer()
+
+  @parse: (buffer) ->
+    message = Packet.parse(buffer)
+    message.destinationTimestamp = Date.now()
+    message.time = new Date(message.transmitTimestamp)
+
+    T1 = message.originateTimestamp
+    T2 = message.receiveTimestamp
+    T3 = message.transmitTimestamp
+    T4 = message.destinationTimestamp
+
+    message.d = T4 - T1 - (T3 - T2)
+    message.t = (T2 - T1 + T3 - T4) / 2
+    message
+
+exports.Client = NTP
+
+exports.Server = require './server'
+
+exports.createServer = (options) ->
+  new exports.Server options
+
+module.exports = NTP