1#!/usr/local/bin/python3 2 3print("ping6 fragment that overlaps the first fragment with the head") 4 5# |---------| 6# |XXXXXXXXX| 7# |----| 8# |----| 9# |----| 10 11import os 12from addr import * 13from scapy.all import * 14 15pid=os.getpid() 16eid=pid & 0xffff 17payload=b"ABCDEFGHIJKLMNOP" 18dummy=b"0123456701234567" 19packet=IPv6(src=LOCAL_ADDR6, dst=REMOTE_ADDR6)/ \ 20 ICMPv6EchoRequest(id=eid, data=payload) 21frag=[] 22fid=pid & 0xffffffff 23frag.append(IPv6ExtHdrFragment(nh=58, id=fid, 24 m=1)/bytes(packet)[40:56]) 25frag.append(IPv6ExtHdrFragment(nh=58, id=fid, 26 offset=1)/dummy) 27frag.append(IPv6ExtHdrFragment(nh=58, id=fid, 28 m=1)/bytes(packet)[40:48]) 29frag.append(IPv6ExtHdrFragment(nh=58, id=fid, 30 offset=1, m=1)/bytes(packet)[48:56]) 31frag.append(IPv6ExtHdrFragment(nh=58, id=fid, 32 offset=2)/bytes(packet)[56:64]) 33eth=[] 34for f in frag: 35 pkt=IPv6(src=LOCAL_ADDR6, dst=REMOTE_ADDR6)/f 36 eth.append(Ether(src=LOCAL_MAC, dst=REMOTE_MAC)/pkt) 37 38if os.fork() == 0: 39 time.sleep(1) 40 sendp(eth, iface=LOCAL_IF) 41 os._exit(0) 42 43ans=sniff(iface=LOCAL_IF, timeout=3, filter= 44 "ip6 and src "+REMOTE_ADDR6+" and dst "+LOCAL_ADDR6+" and icmp6") 45for a in ans: 46 if a and a.type == ETH_P_IPV6 and \ 47 ipv6nh[a.payload.nh] == 'ICMPv6' and \ 48 icmp6types[a.payload.payload.type] == 'Echo Reply': 49 id=a.payload.payload.id 50 print("id=%#x" % (id)) 51 if id != eid: 52 print("WRONG ECHO REPLY ID") 53 exit(2) 54 data=a.payload.payload.data 55 print("payload=%s" % (data)) 56 if data == payload: 57 exit(0) 58 print("PAYLOAD!=%s" % (payload)) 59 exit(2) 60print("NO ECHO REPLY") 61exit(1) 62