can't reproduce this exploit in a public network environment

[kitty-yt]

Thank you for helping me successfully reproduce this exploit in an experimental environment. But there are still some problems in the public network environment. I let the DNS server be configured by default and follow your steps. But it doesn't work. Sometimes the heap address couldn't be leaked successfully. And another error has been obtained several times，it seems that after obtaining dns!_imp_exit, the address of msvcrt!exit couldn't be leaked successfully. Spontaneous DNS requests from the server could affect the address assigned by the dns!NsecDNSRecordConvert function，is it? Could you reproduce this exploit over real internet? I hope to find steps that have been missed.

Thanks!

[chompie1337]

hi. yes this has been tested working over real internet. there was one change made to make it work as I was experiencing some issues that sound similar to yours. can you try with the new version? note that if you are testing on a busy Windows DNS server it will probably be less reliable.

"it seems that after obtaining dns!_imp_exit, the address of msvcrt!exit couldn't be leaked successfully." - this was the exact issue I was experiencing and pushed up a fix yesterday.

make sure your nameserver is registered as ns1.[yourevildomain]