This repo has my version of a DoS PoC exploit for the SIGRed vulnerability disclosed by MS and Check Point Research on July 14th, 2020.
@maxpl0it also wrote a PoC that he published on July 15th, but I structured my exploit a little differently than they did so I thought it still presented value to release this for blue teams to increase their detections capabilities and provide another piece of data to test against.
This repo also has a PCAP for what this exploit looks like on the network.
I tried rigging up the necessary domains to do this publicly but had some issues getting NS records to sync properly so I set this up internally in the DNS Service. So far as I'm aware, this shouldn't affect the efficacy of the exploit.
- Add a hosts file entry for your rogue DNS server (i.e.
dnsexploitvm.laninC:\Windows\System32\drivers\etc\hosts) - Setup a Windows Server VM with the DNS Role
- Add a new zone for a TLD (I used
lolbecause I didn't care about hijacking that TLD locally) - Change the NS and SOA for that domain to your rogue DNS server (SOA might not be necessary)
- Add a new delegated zone in your TLD (i.e.
hax.lol), and set the NS as your rogue DNS server
Before running the script, make sure to set the DNS_SERVER_ADDR tuple at the top of the script to have your proper IP address in it, and install the dependencies (dnspython)
Then, run the script (Python 3 only):
$ sudo ./cve-2020-1350-dos.py [victim DNS server] [DNS record]
I did my testing with 9.hax.lol, and it has been pretty reliable. Longer domain names and records with many labels don't work as well.
Sample script output:
$ sudo ./exploit.py 192.168.117.36 9.hax.lol
UDP server waiting for connection
TCP server waiting for connection
making DNS SIG request to 192.168.117.36: 9.hax.lol
got UDP connection from 192.168.117.36:54721
sending UDP response (len=27)
got TCP connection from 192.168.117.36:49804
sending TCP response (len=65523)
A couple weird things to be aware of:
- You may need to run the script twice
- The script may leave some hanging TCP connections w/ the victim DNS server, I think due to how the DNS service is crashing. If you figure out how to fix this please ping me on Twitter (@captainGeech42) or submit a PR.
- The original vulnerability being exploited here was discovered by Check Point Research
- I also referenced @maxpl0it's POC to speed up debugging an issue with my exploit