Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-5696 PoC — Linux kernel 安全漏洞

Source
https://github.com/unkaktus/grill
Associated Vulnerability
Title:Linux kernel 安全漏洞 (CVE-2016-5696)
Description:Linux kernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4 implementation是其中的一个分布式文件系统协议。 Linux kernel 4.7之前的版本中的net/ipv4/tcp_input.c文件中存在安全漏洞。攻击者可利用该漏洞实施中间人攻击,劫持TCP会话。
Description
global rate-limiting in Linux (CVE-2016-5696) scanner
Readme
grill
=====

`grill`, aka global rate-limiting in Linux, is a scanner for
CVE-2016-5696 (pure TCP off-path).

Install
-------
```
$ go get github.com/nogoegst/grill
```

Caveats
-------
*Don't ever use wireless links* on the way to the hosts. Constant packet loss and retransmisions drastically reduce scan accuracy.

*Use less NATs as possible* (down to 0), they introduce delays and change packets.

Currenly `grill` uses around avg. 400KBit/s and max. 500Kbit/s of output bandwidth (16 concurrent scans).

Kernel interference
-------------------
To avoid kernel interference during scan add a rule to your firewall to drop outgoing RST packets.

For PF (`/etc/pf.conf`):
```
block drop out quick proto tcp flags R/R
```
then `# pfctl -f /etc/pf.conf`.

For NetFilter:
```
# iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
```

Usage
-----
`grill` reads `stdin` and scans hosts from it (up to 16 concurrent scans). The input format is `host port\n`.

```
# cat probe | grill -i interface -dll gateway-MAC [-sll src-MAC] [-sip src-IP] > results 
```

The output format is `host:port,recievedChACKs,1stBurstSendingTime,2ndBurstSendingTime`.

To get human results, run results though `verdict` utility (is in `verdict` directory):
```
cat results | verdict
```

So it goes. Have fun and make love.


Scanning the Tor network
------------------------
To scan relays of the Tor network, just fetch and format last consensus:
```
curl https://collector.torproject.org/recent/relay-descriptors/consensuses/`date -u +'%Y-%m-%d-%H-00-00-consensus'` | grep '^r '| awk '{print $7" "$8}' > probe-consensus
```

And then just pass resulted file to `grill` input.
As of now, scanning whole Tor network should take less than 30m (16 concurrent scans).

I managed to scan whole net in 7m44s by using 127 concurrent scans and in 6m30s by reducing timeout to 1.7s further (this is probably not safe due to packet loss, congestion, etc).

Note that 127 is the maximum (and reasonable) number of open BPFs in OpenBSD. In Linux this limit is higher but it will make you kernel almost stuck. Anyway, good luck.

Acknowlegments
-------------
`grill` is hugely inspired by similar Scapy scanner by David Stainton [https://github.com/david415/scan_for_rfc5961]
and PoC by violentshell [https://github.com/violentshell/rover].
File Snapshot

 [4.0K]  /data/pocs/c6c62f9d6d158dee7320fd9b6dd1e637ca14e28e
├── [6.9K]  LICENSE
├── [2.3K]  README.md
├── [4.6K]  scanner.go
├── [ 988]  tor.filters
└── [4.0K]  verdict
    └── [1.5K]  verdict.go

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.