1*7de4bd92SKristof Provost#!/usr/local/bin/python2.7 2*7de4bd92SKristof Provost 3*7de4bd92SKristof Provostimport argparse 4*7de4bd92SKristof Provostimport scapy.all as sp 5*7de4bd92SKristof Provostimport sys 6*7de4bd92SKristof Provostfrom sniffer import Sniffer 7*7de4bd92SKristof Provost 8*7de4bd92SKristof Provostdef check_icmp_error(args, packet): 9*7de4bd92SKristof Provost ip = packet.getlayer(sp.IP) 10*7de4bd92SKristof Provost if not ip: 11*7de4bd92SKristof Provost return False 12*7de4bd92SKristof Provost if ip.dst != args.to[0]: 13*7de4bd92SKristof Provost return False 14*7de4bd92SKristof Provost 15*7de4bd92SKristof Provost icmp = packet.getlayer(sp.ICMP) 16*7de4bd92SKristof Provost if not icmp: 17*7de4bd92SKristof Provost return False 18*7de4bd92SKristof Provost if icmp.type != 3 or icmp.code != 3: 19*7de4bd92SKristof Provost return False 20*7de4bd92SKristof Provost 21*7de4bd92SKristof Provost return True 22*7de4bd92SKristof Provost 23*7de4bd92SKristof Provostdef main(): 24*7de4bd92SKristof Provost parser = argparse.ArgumentParser("CVE-2019-icmp.py", 25*7de4bd92SKristof Provost description="CVE-2019-icmp test tool") 26*7de4bd92SKristof Provost parser.add_argument('--sendif', nargs=1, 27*7de4bd92SKristof Provost required=True, 28*7de4bd92SKristof Provost help='The interface through which the packet will be sent') 29*7de4bd92SKristof Provost parser.add_argument('--recvif', nargs=1, 30*7de4bd92SKristof Provost required=True, 31*7de4bd92SKristof Provost help='The interface on which to check for the packet') 32*7de4bd92SKristof Provost parser.add_argument('--src', nargs=1, 33*7de4bd92SKristof Provost required=True, 34*7de4bd92SKristof Provost help='The source IP address') 35*7de4bd92SKristof Provost parser.add_argument('--to', nargs=1, 36*7de4bd92SKristof Provost required=True, 37*7de4bd92SKristof Provost help='The destination IP address') 38*7de4bd92SKristof Provost 39*7de4bd92SKristof Provost args = parser.parse_args() 40*7de4bd92SKristof Provost 41*7de4bd92SKristof Provost # Send the allowed packet to establish state 42*7de4bd92SKristof Provost udp = sp.Ether() / \ 43*7de4bd92SKristof Provost sp.IP(src=args.src[0], dst=args.to[0]) / \ 44*7de4bd92SKristof Provost sp.UDP(dport=53, sport=1234) 45*7de4bd92SKristof Provost sp.sendp(udp, iface=args.sendif[0], verbose=False) 46*7de4bd92SKristof Provost 47*7de4bd92SKristof Provost # Start sniffing on recvif 48*7de4bd92SKristof Provost sniffer = Sniffer(args, check_icmp_error) 49*7de4bd92SKristof Provost 50*7de4bd92SKristof Provost # Send the bad error packet 51*7de4bd92SKristof Provost icmp_reachable = sp.Ether() / \ 52*7de4bd92SKristof Provost sp.IP(src=args.src[0], dst=args.to[0]) / \ 53*7de4bd92SKristof Provost sp.ICMP(type=3, code=3) / \ 54*7de4bd92SKristof Provost sp.IP(src="4.3.2.1", dst="1.2.3.4") / \ 55*7de4bd92SKristof Provost sp.UDP(dport=53, sport=1234) 56*7de4bd92SKristof Provost sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) 57*7de4bd92SKristof Provost 58*7de4bd92SKristof Provost sniffer.join() 59*7de4bd92SKristof Provost if sniffer.foundCorrectPacket: 60*7de4bd92SKristof Provost sys.exit(1) 61*7de4bd92SKristof Provost 62*7de4bd92SKristof Provost sys.exit(0) 63*7de4bd92SKristof Provost 64*7de4bd92SKristof Provostif __name__ == '__main__': 65*7de4bd92SKristof Provost main() 66*7de4bd92SKristof Provost#!/usr/local/bin/python2.7 67*7de4bd92SKristof Provost 68*7de4bd92SKristof Provostimport argparse 69*7de4bd92SKristof Provostimport scapy.all as sp 70*7de4bd92SKristof Provostimport sys 71*7de4bd92SKristof Provostfrom sniffer import Sniffer 72*7de4bd92SKristof Provost 73*7de4bd92SKristof Provostdef check_icmp_error(args, packet): 74*7de4bd92SKristof Provost ip = packet.getlayer(sp.IP) 75*7de4bd92SKristof Provost if not ip: 76*7de4bd92SKristof Provost return False 77*7de4bd92SKristof Provost if ip.dst != args.to[0]: 78*7de4bd92SKristof Provost return False 79*7de4bd92SKristof Provost 80*7de4bd92SKristof Provost icmp = packet.getlayer(sp.ICMP) 81*7de4bd92SKristof Provost if not icmp: 82*7de4bd92SKristof Provost return False 83*7de4bd92SKristof Provost if icmp.type != 3 or icmp.code != 3: 84*7de4bd92SKristof Provost return False 85*7de4bd92SKristof Provost 86*7de4bd92SKristof Provost return True 87*7de4bd92SKristof Provost 88*7de4bd92SKristof Provostdef main(): 89*7de4bd92SKristof Provost parser = argparse.ArgumentParser("CVE-2019-icmp.py", 90*7de4bd92SKristof Provost description="CVE-2019-icmp test tool") 91*7de4bd92SKristof Provost parser.add_argument('--sendif', nargs=1, 92*7de4bd92SKristof Provost required=True, 93*7de4bd92SKristof Provost help='The interface through which the packet will be sent') 94*7de4bd92SKristof Provost parser.add_argument('--recvif', nargs=1, 95*7de4bd92SKristof Provost required=True, 96*7de4bd92SKristof Provost help='The interface on which to check for the packet') 97*7de4bd92SKristof Provost parser.add_argument('--src', nargs=1, 98*7de4bd92SKristof Provost required=True, 99*7de4bd92SKristof Provost help='The source IP address') 100*7de4bd92SKristof Provost parser.add_argument('--to', nargs=1, 101*7de4bd92SKristof Provost required=True, 102*7de4bd92SKristof Provost help='The destination IP address') 103*7de4bd92SKristof Provost 104*7de4bd92SKristof Provost args = parser.parse_args() 105*7de4bd92SKristof Provost 106*7de4bd92SKristof Provost # Send the allowed packet to establish state 107*7de4bd92SKristof Provost udp = sp.Ether() / \ 108*7de4bd92SKristof Provost sp.IP(src=args.src[0], dst=args.to[0]) / \ 109*7de4bd92SKristof Provost sp.UDP(dport=53, sport=1234) 110*7de4bd92SKristof Provost sp.sendp(udp, iface=args.sendif[0], verbose=False) 111*7de4bd92SKristof Provost 112*7de4bd92SKristof Provost # Start sniffing on recvif 113*7de4bd92SKristof Provost sniffer = Sniffer(args, check_icmp_error) 114*7de4bd92SKristof Provost 115*7de4bd92SKristof Provost # Send the bad error packet 116*7de4bd92SKristof Provost icmp_reachable = sp.Ether() / \ 117*7de4bd92SKristof Provost sp.IP(src=args.src[0], dst=args.to[0]) / \ 118*7de4bd92SKristof Provost sp.ICMP(type=3, code=3) / \ 119*7de4bd92SKristof Provost sp.IP(src=args.src[0], dst=args.to[0]) / \ 120*7de4bd92SKristof Provost sp.UDP(dport=53, sport=1234) 121*7de4bd92SKristof Provost sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) 122*7de4bd92SKristof Provost 123*7de4bd92SKristof Provost sniffer.join() 124*7de4bd92SKristof Provost if sniffer.foundCorrectPacket: 125*7de4bd92SKristof Provost sys.exit(1) 126*7de4bd92SKristof Provost 127*7de4bd92SKristof Provost sys.exit(0) 128*7de4bd92SKristof Provost 129*7de4bd92SKristof Provostif __name__ == '__main__': 130*7de4bd92SKristof Provost main() 131