xref: /freebsd/tests/sys/netpfil/pf/CVE-2019-5598.py (revision 67ca7330cf34a789afbbff9ae7e4cdc4a4917ae3) 
1#!/usr/local/bin/python2.7
2
3import argparse
4import scapy.all as sp
5import sys
6from sniffer import Sniffer
7
8def check_icmp_error(args, packet):
9	ip = packet.getlayer(sp.IP)
10	if not ip:
11		return False
12	if ip.dst != args.to[0]:
13		return False
14
15	icmp = packet.getlayer(sp.ICMP)
16	if not icmp:
17		return False
18	if icmp.type != 3 or icmp.code != 3:
19		return False
20
21	return True
22
23def main():
24	parser = argparse.ArgumentParser("CVE-2019-icmp.py",
25		description="CVE-2019-icmp test tool")
26	parser.add_argument('--sendif', nargs=1,
27		required=True,
28		help='The interface through which the packet will be sent')
29	parser.add_argument('--recvif', nargs=1,
30		required=True,
31		help='The interface on which to check for the packet')
32	parser.add_argument('--src', nargs=1,
33		required=True,
34		help='The source IP address')
35	parser.add_argument('--to', nargs=1,
36		required=True,
37		help='The destination IP address')
38
39	args = parser.parse_args()
40
41        # Send the allowed packet to establish state
42        udp = sp.Ether() / \
43            sp.IP(src=args.src[0], dst=args.to[0]) / \
44            sp.UDP(dport=53, sport=1234)
45        sp.sendp(udp, iface=args.sendif[0], verbose=False)
46
47	# Start sniffing on recvif
48	sniffer = Sniffer(args, check_icmp_error)
49
50	# Send the bad error packet
51	icmp_reachable = sp.Ether() / \
52            sp.IP(src=args.src[0], dst=args.to[0]) / \
53	    sp.ICMP(type=3, code=3) / \
54	    sp.IP(src="4.3.2.1", dst="1.2.3.4") / \
55	    sp.UDP(dport=53, sport=1234)
56	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
57
58	sniffer.join()
59	if sniffer.foundCorrectPacket:
60		sys.exit(1)
61
62	sys.exit(0)
63
64if __name__ == '__main__':
65	main()
66#!/usr/local/bin/python2.7
67
68import argparse
69import scapy.all as sp
70import sys
71from sniffer import Sniffer
72
73def check_icmp_error(args, packet):
74	ip = packet.getlayer(sp.IP)
75	if not ip:
76		return False
77	if ip.dst != args.to[0]:
78		return False
79
80	icmp = packet.getlayer(sp.ICMP)
81	if not icmp:
82		return False
83	if icmp.type != 3 or icmp.code != 3:
84		return False
85
86	return True
87
88def main():
89	parser = argparse.ArgumentParser("CVE-2019-icmp.py",
90		description="CVE-2019-icmp test tool")
91	parser.add_argument('--sendif', nargs=1,
92		required=True,
93		help='The interface through which the packet will be sent')
94	parser.add_argument('--recvif', nargs=1,
95		required=True,
96		help='The interface on which to check for the packet')
97	parser.add_argument('--src', nargs=1,
98		required=True,
99		help='The source IP address')
100	parser.add_argument('--to', nargs=1,
101		required=True,
102		help='The destination IP address')
103
104	args = parser.parse_args()
105
106        # Send the allowed packet to establish state
107        udp = sp.Ether() / \
108            sp.IP(src=args.src[0], dst=args.to[0]) / \
109            sp.UDP(dport=53, sport=1234)
110        sp.sendp(udp, iface=args.sendif[0], verbose=False)
111
112	# Start sniffing on recvif
113	sniffer = Sniffer(args, check_icmp_error)
114
115	# Send the bad error packet
116	icmp_reachable = sp.Ether() / \
117            sp.IP(src=args.src[0], dst=args.to[0]) / \
118	    sp.ICMP(type=3, code=3) / \
119	    sp.IP(src=args.src[0], dst=args.to[0]) / \
120	    sp.UDP(dport=53, sport=1234)
121	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
122
123	sniffer.join()
124	if sniffer.foundCorrectPacket:
125		sys.exit(1)
126
127	sys.exit(0)
128
129if __name__ == '__main__':
130	main()
131