7de4bd92b8
Verify that pf correctly drops inconsistent ICMP packets (i.e. where the IP src/dst do not match the IP src/dst in the ICMP packet.
131 lines
3.2 KiB
Python
131 lines
3.2 KiB
Python
#!/usr/local/bin/python2.7
|
|
|
|
import argparse
|
|
import scapy.all as sp
|
|
import sys
|
|
from sniffer import Sniffer
|
|
|
|
def check_icmp_error(args, packet):
|
|
ip = packet.getlayer(sp.IP)
|
|
if not ip:
|
|
return False
|
|
if ip.dst != args.to[0]:
|
|
return False
|
|
|
|
icmp = packet.getlayer(sp.ICMP)
|
|
if not icmp:
|
|
return False
|
|
if icmp.type != 3 or icmp.code != 3:
|
|
return False
|
|
|
|
return True
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser("CVE-2019-icmp.py",
|
|
description="CVE-2019-icmp test tool")
|
|
parser.add_argument('--sendif', nargs=1,
|
|
required=True,
|
|
help='The interface through which the packet will be sent')
|
|
parser.add_argument('--recvif', nargs=1,
|
|
required=True,
|
|
help='The interface on which to check for the packet')
|
|
parser.add_argument('--src', nargs=1,
|
|
required=True,
|
|
help='The source IP address')
|
|
parser.add_argument('--to', nargs=1,
|
|
required=True,
|
|
help='The destination IP address')
|
|
|
|
args = parser.parse_args()
|
|
|
|
# Send the allowed packet to establish state
|
|
udp = sp.Ether() / \
|
|
sp.IP(src=args.src[0], dst=args.to[0]) / \
|
|
sp.UDP(dport=53, sport=1234)
|
|
sp.sendp(udp, iface=args.sendif[0], verbose=False)
|
|
|
|
# Start sniffing on recvif
|
|
sniffer = Sniffer(args, check_icmp_error)
|
|
|
|
# Send the bad error packet
|
|
icmp_reachable = sp.Ether() / \
|
|
sp.IP(src=args.src[0], dst=args.to[0]) / \
|
|
sp.ICMP(type=3, code=3) / \
|
|
sp.IP(src="4.3.2.1", dst="1.2.3.4") / \
|
|
sp.UDP(dport=53, sport=1234)
|
|
sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
|
|
|
|
sniffer.join()
|
|
if sniffer.foundCorrectPacket:
|
|
sys.exit(1)
|
|
|
|
sys.exit(0)
|
|
|
|
if __name__ == '__main__':
|
|
main()
|
|
#!/usr/local/bin/python2.7
|
|
|
|
import argparse
|
|
import scapy.all as sp
|
|
import sys
|
|
from sniffer import Sniffer
|
|
|
|
def check_icmp_error(args, packet):
|
|
ip = packet.getlayer(sp.IP)
|
|
if not ip:
|
|
return False
|
|
if ip.dst != args.to[0]:
|
|
return False
|
|
|
|
icmp = packet.getlayer(sp.ICMP)
|
|
if not icmp:
|
|
return False
|
|
if icmp.type != 3 or icmp.code != 3:
|
|
return False
|
|
|
|
return True
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser("CVE-2019-icmp.py",
|
|
description="CVE-2019-icmp test tool")
|
|
parser.add_argument('--sendif', nargs=1,
|
|
required=True,
|
|
help='The interface through which the packet will be sent')
|
|
parser.add_argument('--recvif', nargs=1,
|
|
required=True,
|
|
help='The interface on which to check for the packet')
|
|
parser.add_argument('--src', nargs=1,
|
|
required=True,
|
|
help='The source IP address')
|
|
parser.add_argument('--to', nargs=1,
|
|
required=True,
|
|
help='The destination IP address')
|
|
|
|
args = parser.parse_args()
|
|
|
|
# Send the allowed packet to establish state
|
|
udp = sp.Ether() / \
|
|
sp.IP(src=args.src[0], dst=args.to[0]) / \
|
|
sp.UDP(dport=53, sport=1234)
|
|
sp.sendp(udp, iface=args.sendif[0], verbose=False)
|
|
|
|
# Start sniffing on recvif
|
|
sniffer = Sniffer(args, check_icmp_error)
|
|
|
|
# Send the bad error packet
|
|
icmp_reachable = sp.Ether() / \
|
|
sp.IP(src=args.src[0], dst=args.to[0]) / \
|
|
sp.ICMP(type=3, code=3) / \
|
|
sp.IP(src=args.src[0], dst=args.to[0]) / \
|
|
sp.UDP(dport=53, sport=1234)
|
|
sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
|
|
|
|
sniffer.join()
|
|
if sniffer.foundCorrectPacket:
|
|
sys.exit(1)
|
|
|
|
sys.exit(0)
|
|
|
|
if __name__ == '__main__':
|
|
main()
|