Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/tests/sys/netpfil/pf/CVE-2019-5598.py
39507 views
1
#!/usr/bin/env python3

2
#

3
# SPDX-License-Identifier: BSD-2-Clause

4
#

5
# Copyright (c) 2019 Kristof Provost <[email protected]>

6
#

7
# Redistribution and use in source and binary forms, with or without

8
# modification, are permitted provided that the following conditions

9
# are met:

10
# 1. Redistributions of source code must retain the above copyright

11
#    notice, this list of conditions and the following disclaimer.

12
# 2. Redistributions in binary form must reproduce the above copyright

13
#    notice, this list of conditions and the following disclaimer in the

14
#    documentation and/or other materials provided with the distribution.

15
#

16
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

17
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

18
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

19
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

20
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

21
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

22
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

23
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

24
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

25
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

26
# SUCH DAMAGE.

27


28
import argparse

29
import logging

30
logging.getLogger("scapy").setLevel(logging.CRITICAL)

31
import scapy.all as sp

32
import sys

33
from sniffer import Sniffer

34


35
def check_icmp_error(args, packet):

36
	ip = packet.getlayer(sp.IP)

37
	if not ip:

38
		return False

39
	if ip.dst != args.to[0]:

40
		return False

41


42
	icmp = packet.getlayer(sp.ICMP)

43
	if not icmp:

44
		return False

45
	if icmp.type != 3 or icmp.code != 3:

46
		return False

47


48
	return True

49


50
def main():

51
	parser = argparse.ArgumentParser("CVE-2019-icmp.py",

52
		description="CVE-2019-icmp test tool")

53
	parser.add_argument('--sendif', nargs=1,

54
		required=True,

55
		help='The interface through which the packet will be sent')

56
	parser.add_argument('--recvif', nargs=1,

57
		required=True,

58
		help='The interface on which to check for the packet')

59
	parser.add_argument('--src', nargs=1,

60
		required=True,

61
		help='The source IP address')

62
	parser.add_argument('--to', nargs=1,

63
		required=True,

64
		help='The destination IP address')

65


66
	args = parser.parse_args()

67


68
	# Send the allowed packet to establish state

69
	udp = sp.Ether() / \

70
	    sp.IP(src=args.src[0], dst=args.to[0]) / \

71
	    sp.UDP(dport=53, sport=1234)

72
	sp.sendp(udp, iface=args.sendif[0], verbose=False)

73


74
	# Start sniffing on recvif

75
	sniffer = Sniffer(args, check_icmp_error, args.recvif[0])

76


77
	# Send the bad error packet

78
	icmp_reachable = sp.Ether() / \

79
	    sp.IP(src=args.src[0], dst=args.to[0]) / \

80
	    sp.ICMP(type=3, code=3) / \

81
	    sp.IP(src="4.3.2.1", dst="1.2.3.4") / \

82
	    sp.UDP(dport=53, sport=1234)

83
	sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)

84


85
	sniffer.join()

86
	if sniffer.correctPackets:

87
		sys.exit(1)

88


89
	sys.exit(0)

90


91
if __name__ == '__main__':

92
	main()

93


94