1#!/usr/local/bin/python2.7 2# send ping6 fragment that overlaps the first fragment with the head 3 4# |--------| 5# |XXXXXXXX| 6# |----| 7 8import os 9from addr import * 10from scapy.all import * 11 12pid=os.getpid() 13payload="ABCDEFGHIJKLMNOP" 14dummy="0123456701234567" 15packet=IPv6(src=SRC_OUT6, dst=DST_IN6)/ICMPv6EchoRequest(id=pid, data=payload) 16frag=[] 17frag.append(IPv6ExtHdrFragment(nh=58, id=pid, m=1)/str(packet)[40:56]) 18frag.append(IPv6ExtHdrFragment(nh=58, id=pid, offset=1)/dummy) 19frag.append(IPv6ExtHdrFragment(nh=58, id=pid, offset=2)/str(packet)[56:64]) 20eth=[] 21for f in frag: 22 pkt=IPv6(src=SRC_OUT6, dst=DST_IN6)/f 23 eth.append(Ether(src=SRC_MAC, dst=DST_MAC)/pkt) 24 25if os.fork() == 0: 26 time.sleep(1) 27 sendp(eth, iface=SRC_IF) 28 os._exit(0) 29 30ans=sniff(iface=SRC_IF, timeout=3, filter= 31 "ip6 and src "+DST_IN6+" and dst "+SRC_OUT6+" and icmp6") 32for a in ans: 33 if a and a.type == ETH_P_IPV6 and \ 34 ipv6nh[a.payload.nh] == 'ICMPv6' and \ 35 icmp6types[a.payload.payload.type] == 'Echo Reply': 36 id=a.payload.payload.id 37 print "id=%#x" % (id) 38 if id != pid: 39 print "WRONG ECHO REPLY ID" 40 exit(2) 41 data=a.payload.payload.data 42 print "payload=%s" % (data) 43 if data == payload: 44 print "ECHO REPLY" 45 exit(1) 46 print "PAYLOAD!=%s" % (payload) 47 exit(2) 48print "no echo reply" 49exit(0) 50