Skip to content

Latest commit

 

History

History
54 lines (36 loc) · 2.72 KB

README.md

File metadata and controls

54 lines (36 loc) · 2.72 KB

CVE-2020-1350 SIGRed Denial of Service PoC Exploit

This repo has my version of a DoS PoC exploit for the SIGRed vulnerability disclosed by MS and Check Point Research on July 14th, 2020.

@maxpl0it also wrote a PoC that he published on July 15th, but I structured my exploit a little differently than they did so I thought it still presented value to release this for blue teams to increase their detections capabilities and provide another piece of data to test against.

This repo also has a PCAP for what this exploit looks like on the network.

Lab Environment

I tried rigging up the necessary domains to do this publicly but had some issues getting NS records to sync properly so I set this up internally in the DNS Service. So far as I'm aware, this shouldn't affect the efficacy of the exploit.

  • Add a hosts file entry for your rogue DNS server (i.e. dnsexploitvm.lan in C:\Windows\System32\drivers\etc\hosts)
  • Setup a Windows Server VM with the DNS Role
  • Add a new zone for a TLD (I used lol because I didn't care about hijacking that TLD locally)
  • Change the NS and SOA for that domain to your rogue DNS server (SOA might not be necessary)
  • Add a new delegated zone in your TLD (i.e. hax.lol), and set the NS as your rogue DNS server

Running the Exploit

Before running the script, make sure to set the DNS_SERVER_ADDR tuple at the top of the script to have your proper IP address in it, and install the dependencies (dnspython)

Then, run the script (Python 3 only):

$ sudo ./cve-2020-1350-dos.py [victim DNS server] [DNS record]

I did my testing with 9.hax.lol, and it has been pretty reliable. Longer domain names and records with many labels don't work as well.

Sample script output:

$ sudo ./exploit.py 192.168.117.36 9.hax.lol
UDP server waiting for connection
TCP server waiting for connection
making DNS SIG request to 192.168.117.36: 9.hax.lol
got UDP connection from 192.168.117.36:54721
sending UDP response (len=27)
got TCP connection from 192.168.117.36:49804
sending TCP response (len=65523)

PoC GIF

A couple weird things to be aware of:

  • You may need to run the script twice
  • The script may leave some hanging TCP connections w/ the victim DNS server, I think due to how the DNS service is crashing. If you figure out how to fix this please ping me on Twitter (@captainGeech42) or submit a PR.

Credits