Denial of Service PoC for CVE-2020-1350 (SIGRed)# CVE-2020-1350 SIGRed Denial of Service PoC Exploit
This repo has my version of a DoS PoC exploit for the SIGRed vulnerability disclosed by MS and Check Point Research on July 14th, 2020.
@maxpl0it also wrote a PoC that he published on July 15th, but I structured my exploit a little differently than they did so I thought it still presented value to release this for blue teams to increase their detections capabilities and provide another piece of data to test against.
This repo also has a PCAP for what this exploit looks like on the network.
## Lab Environment
I tried rigging up the necessary domains to do this publicly but had some issues getting NS records to sync properly so I set this up internally in the DNS Service. So far as I'm aware, this shouldn't affect the efficacy of the exploit.
* Add a hosts file entry for your rogue DNS server (i.e. `dnsexploitvm.lan` in `C:\Windows\System32\drivers\etc\hosts`)
* Setup a Windows Server VM with the DNS Role
* Add a new zone for a TLD (I used `lol` because I didn't care about hijacking that TLD locally)
* Change the NS and SOA for that domain to your rogue DNS server (SOA might not be necessary)
* Add a new delegated zone in your TLD (i.e. `hax.lol`), and set the NS as your rogue DNS server
## Running the Exploit
Before running the script, make sure to set the `DNS_SERVER_ADDR` tuple at the top of the script to have your proper IP address in it, and install the dependencies (`dnspython`)
Then, run the script (Python 3 only):
```
$ sudo ./cve-2020-1350-dos.py [victim DNS server] [DNS record]
```
I did my testing with `9.hax.lol`, and it has been pretty reliable. Longer domain names and records with many labels don't work as well.
Sample script output:
```
$ sudo ./exploit.py 192.168.117.36 9.hax.lol
UDP server waiting for connection
TCP server waiting for connection
making DNS SIG request to 192.168.117.36: 9.hax.lol
got UDP connection from 192.168.117.36:54721
sending UDP response (len=27)
got TCP connection from 192.168.117.36:49804
sending TCP response (len=65523)
```
A couple weird things to be aware of:
* You may need to run the script twice
* The script may leave some hanging TCP connections w/ the victim DNS server, I think due to how the DNS service is crashing. If you figure out how to fix this please ping me on Twitter ([@captainGeech42](https://twitter.com/captainGeech42)) or submit a PR.
## Credits
* The original vulnerability being exploited here was discovered by [Check Point Research](https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/)
* I also referenced [@maxpl0it's POC](https://github.com/maxpl0it/CVE-2020-1350-DoS) to speed up debugging an issue with my exploit
[4.0K] /data/pocs/c921b41c86102a1175a186f2cd376e879ba8da85
├── [6.1K] exploit.py
├── [2.3M] poc.gif
├── [2.7K] README.md
├── [ 10] requirements.txt
└── [ 65K] sigred-dos-poc.pcapng
0 directories, 5 files