zephrfish / cve-2020-1350_honeypoc Goto Github PK

HoneyPoC: Proof-of-Concept (PoC) script to exploit SIGRed (CVE-2020-1350). Achieves Domain Admin on Domain Controllers running Windows Server 2000 up to Windows Server 2019.

License: GNU General Public License v3.0

Shell 0.90% PowerShell 98.65% Batchfile 0.45%

cve-2020-1350 sigred

cve-2020-1350_honeypoc's Introduction

This is an educational exercise. Use at your own risk.

CVE-2020-1350 Exploit aka SIGRED

This is a lesson as to why you should not trust binaries on the internet., the workaround fix is genuine.

Workaround Fix

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f
net stop DNS && net start DNS

MS Link: https://support.microsoft.com/en-gb/help/4569509/windows-dns-server-remote-code-execution-vulnerability Microsoft has released the security patch, you can download the patch here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

Windows Binary PoC

./CVE-2020-1350.exe will run the exploit.

View README.pdf for more information on how to use the binary.

Source code is available here: https://github.com/zoomerxsec/Fake_CVE-2020-1350

Running the exploit on Linux

Change the target IP in exploit.sh then do:

chmod +x exploit.sh
./exploit.sh

Repo Info

CVE-2020-1350.exe (sha256sum 9e6da40db7c7f9d5ba679e7439f03ef6aacee9c34f9a3f686d02af34543f2e75) - Benign binary which opens rick roll and pings canary token
Fix.bat - Batch file that applies the fix from Microsoft
LICENCE - The licence file, also does nothing
PoC.exe (sha256sum bf9657ff82065a676bc2aeb07877d5964a193da244e943ee37f08b931c9868b7)- Benign binary which opens cmd.exe and additionally pings canary token
README.md - Details the README of the repo
windows-exploit.ps1 - Rick roll in shell, also benign

Additional Resources

https://blog.zsec.uk/cve-2020-1350-honeypoc/ - Statistics from this project
https://blog.zsec.uk/cve-2020-1350-research/ - Explanation on this project :-)
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_2020_1350.yml - Signa rules for detection
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - Vulnerability Writeup
https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html - Threathunting the vuln
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 - CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability
https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ - July 2020 Security Update: CVE-2020-1350 Vulnerability in Windows Domain Name System (DNS) Server
https://github.com/tinkersec/cve-2020-1350 Tinkersec PoC, also not real

cve-2020-1350_honeypoc's People

Contributors

Stargazers

Watchers

cve-2020-1350_honeypoc's Issues

My dns is totally broken. Help please!

I have run this and my dns has stopped working. Help please!!!

I will never gonna let you down!

Exploit hangs

Describe the bug
When running the exploit.sh it keeps crashing and restart, it just does not seem to give up.

To Reproduce
Steps to reproduce the behavior:

clone repo
chmod +x ./exploit.sh
sudo ./exploit.sh
Never gives me up!

Expected behavior
Give me root access to my boss' his email box via domain enterprise admin account.

兄弟搞事情是不是？

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

Go to '...'
Click on '....'
Scroll down to '....'
See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: [e.g. iOS]
Browser [e.g. chrome, safari]
Version [e.g. 22]

Smartphone (please complete the following information):

Device: [e.g. iPhone6]
OS: [e.g. iOS8.1]
Browser [e.g. stock browser, safari]
Version [e.g. 22]

Additional context
Add any other context about the problem here.

മുഖ്യമന്ത്രി രാജിവെക്കണം

ഒന്നും പറഞ്ഞിട്ടു കാര്യം എല്ല മുഖ്യമന്ത്രി രാജിവെച്ചേ പറ്റു..

This is the greatest repository

You are truly gods among men.

Thank you for your contributions to the Rick Astley security collective.

I would rate this code worm out of 10: Would worm again.

Hello, this exploit is supposed to work only on windows DNS servers. (more info here)
I've tested your exploit and it works on other operating systems too. You can see the POC for 8.8.8.8, which is not a windows machine.

Please consider cutting support for other operating systems since they were not specified in the microsoft security bulletin, and focusing the development time on the windows version.