POC详情: 1a5a8f062bd28e108951585ccd274459a74723a9

来源
https://github.com/violentshell/rover
关联漏洞
标题: Linux kernel 安全漏洞 (CVE-2016-5696)
描述:Linux kernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4 implementation是其中的一个分布式文件系统协议。 Linux kernel 4.7之前的版本中的net/ipv4/tcp_input.c文件中存在安全漏洞。攻击者可利用该漏洞实施中间人攻击,劫持TCP会话。
描述
Proof of Concept code for CVE-2016-5696
介绍
# rover
Proof of Concept code for CVE-2016-5696

Rover is a small python program to discover abitrary client source ports as shown in CVE-2016-569. Once the source port is known, the 4 tuple of information needed to confirm that two host are communicating can be completed. When run, rover establishes a connection with the target server, syncs its internal clock to the server challenge ack time, then begins to search through the default ephemeral port range of most linux hosts (this can be changed if required).

For more information, find the original paper [here](https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf)

This has been tested to run on kali 1.0  against an **Ubuntu 14.04 SSH server**. It should work against others, however some modification to the code may/will be needed. Requirements are:

1. Python2.7
2. Scapy 2.3.2

Usage is as follows:
```
rover.py [-h] -c 192.168.1.1 -s 192.168.1.10 -p 22 [-v v, vv]

CVE2016-5969 Demonstrator.

optional arguments:
  -h, --help       show this help message and exit
  -c 192.168.1.1   The target client IP.
  -s 192.168.1.10  The target server IP.
  -p 22            The target server port.
  -v v, vv         The verbosity level
```

Rover will complete in approx 1-2 minutes, depending on the quality of sync.

![alt text](https://cloud.githubusercontent.com/assets/21149221/17834620/a556cc6e-6788-11e6-9f9b-04f98756a71b.png)

## Some important notes. 
1. Rover is bandwith dependant. It currently sends out 700 packets a second. If it fails to do so in the required time, the program will fail.
2. I have included the line: `os.system('iptables -A OUTPUT -p tcp --tcp-flags RST RST -j DROP')` because the kernel will reset a scapy connection by default. This must be in IPTABLES for the program to work.
3. If you use vmware, keep in mind that workstation and player limit bandwith. This may cause issues. If so, use a physical host for the attack machine.
文件快照

 [4.0K]  /data/pocs/1a5a8f062bd28e108951585ccd274459a74723a9
├── [1.9K]  README.md
└── [ 12K]  rover.py

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。