Giter Site home page Giter Site logo

cve-2020-1350-dos's Introduction

CVE-2020-1350 (SIGRed) - Windows DNS DoS Exploit

Credits for the bug are entirely down to Check Point Research (@_cpresearch_) who did an incredible writeup of this bug (props to @sagitz_ for the post) Their writeup can be found here.

This exploit was written by @maxpl0it

Quick summary of how it works:

  1. On the LAN you trigger a DNS request (more specifically, a request for the SIG records) for an evil domain (for example 9.evil_domain.com)
  2. This gets sent to the vulnerable Windows server's DNS server
  3. The vulnerable server sends a request to whatever DNS it forwards requests to (usually the standard Google IPs)
  4. The Google DNS responds with the nameservers for the evil domain
  5. The vulnerable server then acts as a DNS client and sends a request to the evil DNS server
  6. The evil server responds with a payload that overflows a 2-byte number, causing a smaller allocation to take place than is required
  7. The signature is copied over and things break (of course), crashing the vulnerable server's DNS server

General Setup:

  • This exploit requires you to set up a domain with its own nameservers pointing to your server.
  • Set up the server and run this script. It will listen on port 53 on both TCP and UDP
  • If you get an error saying that the ports are busy, use netstat -pa to figure out what's listening on the domain ports (probably systemd-resolved) and disable + stop it. If nothing's listening on the server, make sure you killed all instances of this script before re-running.

For example, I ran python sigred_dos.py ibrokethe.net to start the malicious DNS server

Testing Setup:

If you have access to the Windows server, you can configure a conditional forwarder to point ibrokethe.net to the IP address of the host running the script. This effectively skips steps 3 & 4 in the summary.

Execution:

In order to trigger the vulnerability on the Windows DNS server, run nslookup -type=sig 9.your_domain_name_here dns_server_to_target The subdomain '9' is indeed required here. You do not have to make any domain record changes for this since the script deals with it.

As an example: I ran nslookup -type=sig 9.ibrokethe.net 127.0.0.1 as I was running this on the server.

cve-2020-1350-dos's People

Contributors

maxpl0it avatar aseigler avatar holymiracle avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.