1#!/usr/bin/env python3 2# 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright (c) 2019 Kristof Provost <kp@FreeBSD.org> 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26# SUCH DAMAGE. 27 28import argparse 29import scapy.all as sp 30import sys 31from sniffer import Sniffer 32 33def check_icmp_error(args, packet): 34 ip = packet.getlayer(sp.IP) 35 if not ip: 36 return False 37 if ip.dst != args.to[0]: 38 return False 39 40 icmp = packet.getlayer(sp.ICMP) 41 if not icmp: 42 return False 43 if icmp.type != 3 or icmp.code != 3: 44 return False 45 46 return True 47 48def main(): 49 parser = argparse.ArgumentParser("CVE-2019-icmp.py", 50 description="CVE-2019-icmp test tool") 51 parser.add_argument('--sendif', nargs=1, 52 required=True, 53 help='The interface through which the packet will be sent') 54 parser.add_argument('--recvif', nargs=1, 55 required=True, 56 help='The interface on which to check for the packet') 57 parser.add_argument('--src', nargs=1, 58 required=True, 59 help='The source IP address') 60 parser.add_argument('--to', nargs=1, 61 required=True, 62 help='The destination IP address') 63 64 args = parser.parse_args() 65 66 # Send the allowed packet to establish state 67 udp = sp.Ether() / \ 68 sp.IP(src=args.src[0], dst=args.to[0]) / \ 69 sp.UDP(dport=53, sport=1234) 70 sp.sendp(udp, iface=args.sendif[0], verbose=False) 71 72 # Start sniffing on recvif 73 sniffer = Sniffer(args, check_icmp_error) 74 75 # Send the bad error packet 76 icmp_reachable = sp.Ether() / \ 77 sp.IP(src=args.src[0], dst=args.to[0]) / \ 78 sp.ICMP(type=3, code=3) / \ 79 sp.IP(src="4.3.2.1", dst="1.2.3.4") / \ 80 sp.UDP(dport=53, sport=1234) 81 sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) 82 83 sniffer.join() 84 if sniffer.foundCorrectPacket: 85 sys.exit(1) 86 87 sys.exit(0) 88 89if __name__ == '__main__': 90 main() 91