1#!/usr/local/bin/python2.7 2# send ping6 fragment that overlaps the second fragment with the head 3 4# |----| 5# |----| 6# |XXXXXXXXX| 7# |----| 8 9import os 10from addr import * 11from scapy.all import * 12 13pid=os.getpid() 14payload="ABCDEFGHIJKLOMNO" 15dummy="0123456701234567" 16packet=IPv6(src=SRC_OUT6, dst=DST_IN6)/ICMPv6EchoRequest(id=pid, data=payload) 17frag=[] 18frag.append(IPv6ExtHdrFragment(nh=58, id=pid, m=1)/str(packet)[40:48]) 19frag.append(IPv6ExtHdrFragment(nh=58, id=pid, offset=1, m=1)/str(packet)[48:56]) 20frag.append(IPv6ExtHdrFragment(nh=58, id=pid, offset=1)/dummy) 21frag.append(IPv6ExtHdrFragment(nh=58, id=pid, offset=2)/str(packet)[56:64]) 22eth=[] 23for f in frag: 24 pkt=IPv6(src=SRC_OUT6, dst=DST_IN6)/f 25 eth.append(Ether(src=SRC_MAC, dst=DST_MAC)/pkt) 26 27if os.fork() == 0: 28 time.sleep(1) 29 sendp(eth, iface=SRC_IF) 30 os._exit(0) 31 32ans=sniff(iface=SRC_IF, timeout=3, filter= 33 "ip6 and src "+DST_IN6+" and dst "+SRC_OUT6+" and icmp6") 34for a in ans: 35 if a and a.type == scapy.layers.dot11.ETHER_TYPES.IPv6 and \ 36 ipv6nh[a.payload.nh] == 'ICMPv6' and \ 37 icmp6types[a.payload.payload.type] == 'Echo Reply': 38 id=a.payload.payload.id 39 print "id=%#x" % (id) 40 if id != pid: 41 print "WRONG ECHO REPLY ID" 42 exit(2) 43 data=a.payload.payload.data 44 print "payload=%s" % (data) 45 if data == payload: 46 print "ECHO REPLY" 47 exit(1) 48 print "PAYLOAD!=%s" % (payload) 49 exit(2) 50print "no echo reply" 51exit(0) 52