Crafting Overlapping Fragments ….. Finally!

In the two posts leading up to this one, I discussed the theory of fragmentation and checksums . Now, we're finally ready to see the Scapy code that will craft the fragments show in the following diagram.

Because most of the complexity of crafting overlapping fragments is associated with fragmentation and checksum theory, the code is very simple.

We set some variables – our destination IP, and the payloads that will be found in the three different datagrams that will be sent. We craft the first IP header to contain the destination IP, ICMP as the protocol, an IP ID value of 12345, and the MF flag set. We craft an ICMP header for an ICMP echo request, and assign it the appropriate checksum value that we've already computed using techniques discussed in the 2nd post. We craft the packet consisting of an IP header, followed by the ICMP header, followed by the first payload of "AABBAABBAABB" and send it.

The second datagram has an IP header that is similar to the first; however, it contains a fragment offset of 1, or 8 bytes after the IP header. We attach what becomes the overlapping payload value of "BBAABBAABBAA" and send it. Finally, the third datagram IP header has an MF flag of 0 to indicate that this is the final fragment and give it a fragment offset of 2, or 16 bytes after the IP header. It has a payload value of "CCCCCCCC".

Now, let's execute the program and capture the traffic using tcpdump. Remember that if everything goes well, we should elicit an ICMP echo reply with a payload that reveals the favored fragment. Let's see the outcome. As you can see the receiver responds with a payload of "AABBAABBCCCCCCCC" in the ICMP echo reply, meaning that it favored the first fragment.

Remember that if you try this code, you may get a different response because different operating systems may favor the overlapping fragment. The test we just performed was with wholly overlapping fragments where the original and overlapping fragments began at the same fragment offset and were the same length. There are many more tests that are discussed in more detail in the "Target-based Fragmentation Reassembly"

Let's take one more example of overlapping fragments.

This time, the first datagram contains an IP header with the MF set and an ICMP header. The first fragment falls 16 bytes after the IP header, leaving an 8-byte gap between the end of the ICMP header and the fragment payload of "ABABABAB". We follow this with an overlap of the first fragment. But, this fragment payload begins before and ends after the first fragment payload. It fills in the missing 8-byte gap between end of the ICMP header and the beginning of the first fragment with a payload of "AAAAAAAA", overlaps the first fragment with a payload of "BABABABA", and has 8 additional bytes of "CCCCCCCC".

First, let's use interactive Scapy to craft the packet we're going to send and display the ICMP header to expose the ICMP checksum value we need to supply.

We see that we need an ICMP checksum value of 0xdce8. Here is the simple program to craft the overlaps.

Our first fragment is comprised of an IP header with the MF set, followed by the ICMP header with the correct ICMP checksum. The second fragment lies at an offset of 2, or 16 bytes after the IP header, with the MF set, and a payload of "ABABABAB". The third and final fragment begins at an offset of 1, or 8 bytes after the IP header (directly after the ICMP header), the MF is not set, with a payload of "AAAAAAAABABABABACCCCCCCC".

We see the receiver's ICMP echo response payload of "AAAAAAAABABABABACCCCCCCC", indicating it favored the overlapping fragment.

That wraps up this series on crafting overlapping fragments using Scapy. As you see, the code is fairly simple if you understand the concepts of fragmentation and checksums. Give it a shot and try these examples or other overlap combinations to see what responses you receive.