tests/sys/netpfil/pf/CVE-2019-5598.py

   1 #!/usr/local/bin/python2.7
   2
   3 import argparse
   4 import scapy.all as sp
   5 import sys
   6 from sniffer import Sniffer
   7
   8 def check_icmp_error(args, packet):
   9         ip = packet.getlayer(sp.IP)
  10         if not ip:
  11                 return False
  12         if ip.dst != args.to[0]:
  13                 return False
  14
  15         icmp = packet.getlayer(sp.ICMP)
  16         if not icmp:
  17                 return False
  18         if icmp.type != 3 or icmp.code != 3:
  19                 return False
  20
  21         return True
  22
  23 def main():
  24         parser = argparse.ArgumentParser("CVE-2019-icmp.py",
  25                 description="CVE-2019-icmp test tool")
  26         parser.add_argument('--sendif', nargs=1,
  27                 required=True,
  28                 help='The interface through which the packet will be sent')
  29         parser.add_argument('--recvif', nargs=1,
  30                 required=True,
  31                 help='The interface on which to check for the packet')
  32         parser.add_argument('--src', nargs=1,
  33                 required=True,
  34                 help='The source IP address')
  35         parser.add_argument('--to', nargs=1,
  36                 required=True,
  37                 help='The destination IP address')
  38
  39         args = parser.parse_args()
  40
  41         # Send the allowed packet to establish state
  42         udp = sp.Ether() / \
  43             sp.IP(src=args.src[0], dst=args.to[0]) / \
  44             sp.UDP(dport=53, sport=1234)
  45         sp.sendp(udp, iface=args.sendif[0], verbose=False)
  46
  47         # Start sniffing on recvif
  48         sniffer = Sniffer(args, check_icmp_error)
  49
  50         # Send the bad error packet
  51         icmp_reachable = sp.Ether() / \
  52             sp.IP(src=args.src[0], dst=args.to[0]) / \
  53             sp.ICMP(type=3, code=3) / \
  54             sp.IP(src="4.3.2.1", dst="1.2.3.4") / \
  55             sp.UDP(dport=53, sport=1234)
  56         sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
  57
  58         sniffer.join()
  59         if sniffer.foundCorrectPacket:
  60                 sys.exit(1)
  61
  62         sys.exit(0)
  63
  64 if __name__ == '__main__':
  65         main()
  66 #!/usr/local/bin/python2.7
  67
  68 import argparse
  69 import scapy.all as sp
  70 import sys
  71 from sniffer import Sniffer
  72
  73 def check_icmp_error(args, packet):
  74         ip = packet.getlayer(sp.IP)
  75         if not ip:
  76                 return False
  77         if ip.dst != args.to[0]:
  78                 return False
  79
  80         icmp = packet.getlayer(sp.ICMP)
  81         if not icmp:
  82                 return False
  83         if icmp.type != 3 or icmp.code != 3:
  84                 return False
  85
  86         return True
  87
  88 def main():
  89         parser = argparse.ArgumentParser("CVE-2019-icmp.py",
  90                 description="CVE-2019-icmp test tool")
  91         parser.add_argument('--sendif', nargs=1,
  92                 required=True,
  93                 help='The interface through which the packet will be sent')
  94         parser.add_argument('--recvif', nargs=1,
  95                 required=True,
  96                 help='The interface on which to check for the packet')
  97         parser.add_argument('--src', nargs=1,
  98                 required=True,
  99                 help='The source IP address')
 100         parser.add_argument('--to', nargs=1,
 101                 required=True,
 102                 help='The destination IP address')
 103
 104         args = parser.parse_args()
 105
 106         # Send the allowed packet to establish state
 107         udp = sp.Ether() / \
 108             sp.IP(src=args.src[0], dst=args.to[0]) / \
 109             sp.UDP(dport=53, sport=1234)
 110         sp.sendp(udp, iface=args.sendif[0], verbose=False)
 111
 112         # Start sniffing on recvif
 113         sniffer = Sniffer(args, check_icmp_error)
 114
 115         # Send the bad error packet
 116         icmp_reachable = sp.Ether() / \
 117             sp.IP(src=args.src[0], dst=args.to[0]) / \
 118             sp.ICMP(type=3, code=3) / \
 119             sp.IP(src=args.src[0], dst=args.to[0]) / \
 120             sp.UDP(dport=53, sport=1234)
 121         sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
 122
 123         sniffer.join()
 124         if sniffer.foundCorrectPacket:
 125                 sys.exit(1)
 126
 127         sys.exit(0)
 128
 129 if __name__ == '__main__':
 130         main()