sigred_rce_poc's People
Forkers
xiuyr4 gavz askyeye fuzzheaded opensesamedoors yhzx2013 welltian beerandgin servomekanism freeide elamaran619 mlynchcogent 0xsv1 zha0 witchfindertr skizap killvxk inarcissuss rwincey senanfurkan dlaflotte timb-machine-mirrors z1pti3 imjdl b1scuit-thi3f mfadzilr ashr th3xace sesyi legionxkp jaythespazz infernalheaven readercrap unleashedmen linhlhq stanhardy gh0st0ne anti-ghosts 5l1v3r1 actorexpose n1f2c3 fdlucifer topotam crackercat b4rtik yang-zhiyuan dviros zdy 4v4loon addenial bb33bb excloudx6 laet4x elijahahianyo icodein shoeper-forks gmh5225 kralmimiko werwolfz sokoban khauta yyosefi k4mu5sigred_rce_poc's Issues
can't reproduce this exploit in a public network environment
Thank you for helping me successfully reproduce this exploit in an experimental environment. But there are still some problems in the public network environment. I let the DNS server be configured by default and follow your steps. But it doesn't work. Sometimes the heap address couldn't be leaked successfully. And another error has been obtained several times,it seems that after obtaining dns!_imp_exit, the address of msvcrt!exit couldn't be leaked successfully. Spontaneous DNS requests from the server could affect the address assigned by the dns!NsecDNSRecordConvert function,is it? Could you reproduce this exploit over real internet? I hope to find steps that have been missed.
Thanks!
Setting up over public network
Hello, can you please help me with setting up your script to work over Internet. I've registered my domain evildomain.com and created a glue dns record for it ns1.evildomain.com. And I have one question for you, do I need to setup real DNS on my vps (ns1.evildomain.com) or launching evildns.py is enough for success?
Potential security issue
Hello 👋
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@jhond0e) has found a potential issue, which I would be eager to share with you.
Could you add a SECURITY.md
file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.
Looking forward to hearing from you 👍
(cc @huntr-helper)
cannot import system_arg from payload
I am receiving this error after installing payload-api and running evildns.py. I have searched the init file for references to system_arg and every other file in the package but I cannot find the reference to this module. I noticed this is used in a binary concatenation so it is likely just a string, do you have the string or are you able to point me to where to find it?
Getting a crash
Hi,
I'm getting the following when attempting to exploit. Any ideas ?
─# python3 exploit.py -ip 10.0.2.100 -d vbsigred.com
[!] grooming small buffer size freelist
Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163
[!] doing DNS record heap spray
[!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering realloc and overflow
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
Traceback (most recent call last):
File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 259, in
main()
File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 255, in main
do_rce(args.ip, args.domain)
File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 117, in do_rce
hl64_bytes = sigs[11].encode('ascii')
IndexError: list index out of range
Errors
IndexError: list index out of range
Error
[!] triggering heap ptr leak
Traceback (most recent call last):
File "/home/jerad/SIGRed_RCE_PoC/exploit.py", line 259, in
main()
File "/home/jerad/SIGRed_RCE_PoC/exploit.py", line 255, in main
do_rce(args.ip, args.domain)
File "/home/jerad/SIGRed_RCE_PoC/exploit.py", line 117, in do_rce
hl64_bytes = sigs[11].encode('ascii')
IndexError: list index out of range
heapleak
Heapleakb64 output:
└─$ cat heapleakb64
Server: 172.16.0.97
Address: 172.16.0.97#53
** server can't find 9.dz.evilcorp.local: NXDOMAIN
Network Time
Less than 15 min
OS:
Server 2012
DNS Bin:
no response in evildns.py and exploit.py throws exception
heapleakb64:
Non-authoritative answer:
*** Can't find 9.dz.[my_evil_domain]: No answer
[!] grooming small buffer size freelist Waiting for small cached records to be freed 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163 [!] doing DNS record heap spray [!] waiting for target subdomain record to be freed 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123 [!] triggering realloc and overflow [!] triggering free for fake timeout object [!] triggering timeout object allocations [!] triggering frees for heap ptr leak [!] triggering heap ptr leak Traceback (most recent call last): File "exploit.py", line 221, in <module> main() File "exploit.py", line 217, in main do_rce(args.ip, args.domain) File "exploit.py", line 96, in do_rce hl64_bytes = sigs[11].encode('ascii') IndexError: list index out of range
unpack requires a buffer of 8 bytes
Running on Kali2021 against Server 2016 without patch
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
Traceback (most recent call last):
File "/SIGRed_RCE_PoC-main/exploit2.py", line 260, in
main()
File "/SIGRed_RCE_PoC-main/exploit2.py", line 256, in main
do_rce(args.ip, args.domain)
File "/SIGRed_RCE_PoC-main/exploit2.py", line 121, in do_rce
heap_ptr = struct.unpack('<Q', data_bytes[33:41])[0]
struct.error: unpack requires a buffer of 8 bytes
Could not Find msvcrt Offset
Hey @chompie1337, thanks for your hard work.
I've been trying to test this exploit in a closed environment (Server 2016, 1607) and each execution (including a restart) triggers a different error. On most of the cases, it was as previously reported here with the 8-byte error.
The most recent error I had is as follows:
In addition, I changed the network DNS settings of the server to itself only, and set the timeout interval in the Conditional Forwarder setting from 5 to 1, and this is how I actually went further from the other errors.
I can provide the other error log files as well (heapleak, heapleak64 etc).
EDIT:
Based on the logs and since I do have exitleak (including a manual check that showed the offset do exists in the offset file), I suspect that the file is not parsed properly as it's being written using os.command and not native python.
In addition, testing "pexit & 0xFFF" returns 0, which is super strange.
Thanks a lot!
List Index Out of range
exploit.py [ struct.error: unpack requires a buffer of 8 bytes]
[!] grooming small buffer size freelist
Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163
[!] doing DNS record heap spray
[!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering realloc and overflow
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
Traceback (most recent call last):
File "exploit.py", line 259, in <module>
main()
File "exploit.py", line 255, in main
do_rce(args.ip, args.domain)
File "exploit.py", line 120, in do_rce
heap_ptr = struct.unpack('<Q', data_bytes[33:41])[0]
struct.error: unpack requires a buffer of 8 bytes
heapleakb64:
Server: *.*.*.*
Address: *.*.*.*#53
Non-authoritative answer:
9.dz.[evildomain] signature = A 5 0 8192 20250715184655 20190715184655 40452 9.dz.[evildomain]. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA
Authoritative answers can be found from:
Which build version did you use?
I have tried some different versions of Windows Server 2016, 2012, 2012R2, 2008. However, it is not successful. Can you provide some build version of your testbed?
Could not find dns offsets
I am trying the exploit with conditional forwarding.
Output after running exploit.py :
$ sudo python3 exploit.py -ip 192.168.146.136 -d kedar.ee
[!] grooming small buffer size freelist
Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163
[!] doing DNS record heap spray
[!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering realloc and overflow
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
[+] controllable heap addr: 0x28acd3567d0
[!] waiting for timeout object allocation
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering dns!RR_Free addr leak
[-] Could not find dns offsets!
DNS leak 64 file :
Windows version screen shot :
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.