关联漏洞
标题:Microsoft Windows DNS Server 输入验证错误漏洞 (CVE-2020-1350)Description:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows DNS Server 存在输入验证错误漏洞,该漏洞源于程序无法正确处理请求。攻击者可通过发送恶意的请求利用该漏洞在本地系统帐户的上下文中运行任意代码。以下产品及版本受到影响:Windows Server 2008 SP2,Windows Server 2008 R2 SP1,Windows Server 2012,Windows Server 2012 R2,Windo
Description
Denial of Service PoC for CVE-2020-1350 (SIGRed)
介绍
# CVE-2020-1350 SIGRed Denial of Service PoC Exploit
This repo has my version of a DoS PoC exploit for the SIGRed vulnerability disclosed by MS and Check Point Research on July 14th, 2020.
@maxpl0it also wrote a PoC that he published on July 15th, but I structured my exploit a little differently than they did so I thought it still presented value to release this for blue teams to increase their detections capabilities and provide another piece of data to test against.
This repo also has a PCAP for what this exploit looks like on the network.
## Lab Environment
I tried rigging up the necessary domains to do this publicly but had some issues getting NS records to sync properly so I set this up internally in the DNS Service. So far as I'm aware, this shouldn't affect the efficacy of the exploit.
* Add a hosts file entry for your rogue DNS server (i.e. `dnsexploitvm.lan` in `C:\Windows\System32\drivers\etc\hosts`)
* Setup a Windows Server VM with the DNS Role
* Add a new zone for a TLD (I used `lol` because I didn't care about hijacking that TLD locally)
* Change the NS and SOA for that domain to your rogue DNS server (SOA might not be necessary)
* Add a new delegated zone in your TLD (i.e. `hax.lol`), and set the NS as your rogue DNS server
## Running the Exploit
Before running the script, make sure to set the `DNS_SERVER_ADDR` tuple at the top of the script to have your proper IP address in it, and install the dependencies (`dnspython`)
Then, run the script (Python 3 only):
```
$ sudo ./cve-2020-1350-dos.py [victim DNS server] [DNS record]
```
I did my testing with `9.hax.lol`, and it has been pretty reliable. Longer domain names and records with many labels don't work as well.
Sample script output:
```
$ sudo ./exploit.py 192.168.117.36 9.hax.lol
UDP server waiting for connection
TCP server waiting for connection
making DNS SIG request to 192.168.117.36: 9.hax.lol
got UDP connection from 192.168.117.36:54721
sending UDP response (len=27)
got TCP connection from 192.168.117.36:49804
sending TCP response (len=65523)
```
A couple weird things to be aware of:
* You may need to run the script twice
* The script may leave some hanging TCP connections w/ the victim DNS server, I think due to how the DNS service is crashing. If you figure out how to fix this please ping me on Twitter ([@captainGeech42](https://twitter.com/captainGeech42)) or submit a PR.
## Credits
* The original vulnerability being exploited here was discovered by [Check Point Research](https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/)
* I also referenced [@maxpl0it's POC](https://github.com/maxpl0it/CVE-2020-1350-DoS) to speed up debugging an issue with my exploit
文件快照
[4.0K] /data/pocs/c921b41c86102a1175a186f2cd376e879ba8da85
├── [6.1K] exploit.py
├── [2.3M] poc.gif
├── [2.7K] README.md
├── [ 10] requirements.txt
└── [ 65K] sigred-dos-poc.pcapng
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。