search

chompie1337 / SIGRed_RCE_PoC

259 stars 63 forks source link

exploit.py [ struct.error: unpack requires a buffer of 8 bytes] #4

Closed nickaein-a closed 3 years ago

nickaein-a commented 3 years ago 
[!] grooming small buffer size freelist
Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163
[!] doing DNS record heap spray
[!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering realloc and overflow
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
Traceback (most recent call last):
  File "exploit.py", line 259, in <module>
    main()
  File "exploit.py", line 255, in main
    do_rce(args.ip, args.domain)
  File "exploit.py", line 120, in do_rce
    heap_ptr = struct.unpack('<Q', data_bytes[33:41])[0]
struct.error: unpack requires a buffer of 8 bytes

heapleakb64:

Server:     *.*.*.*
Address:        *.*.*.*#53

Non-authoritative answer:
9.dz.[evildomain]   signature = A 5 0 8192 20250715184655 20190715184655 40452 9.dz.[evildomain]. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA

Authoritative answers can be found from:
chompie1337 commented 3 years ago

What version of Windows Server is your target? Did you try DoS first? https://github.com/maxpl0it/CVE-2020-1350-DoS

Looks like it's not vulnerable.

nickaein-a commented 3 years ago

windows server 2016 10.0.14393 x64 yes i tried maxpl0it, it crashed

also i'm testing it locally, sending that amount of nslookup over internet is not reliable and takes too much time

chompie1337 commented 3 years ago

no idea what the problem could be. at a minimum should be crashing.

also this is runnable over internet in less than <20mins

chompie1337 commented 3 years ago

if you want to provide the sample of dns.exe for your target, I can take a look. closing the issue for now since there's no info to go off of