Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-11477 PoC — Integer overflow in TCP_SKB_CB(skb)->tcp_gso_segs

Source
https://github.com/sasqwatch/cve-2019-11477-poc
Associated Vulnerability
Title:Integer overflow in TCP_SKB_CB(skb)->tcp_gso_segs (CVE-2019-11477)
Description:Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff.
Readme
# cve-2019-11477-poc

## Simple Test
1. Start two VMs
 - one for an SSL server and the other for an SSL client

2. [Server] Execute the server application
 - cd apps
 - ./server.sh 7000

3. [Client] Install the required packages
 - sudo apt-get install libmnl-dev
 - sudo apt-get install libnetfilter-queue-dev

4. [Client] Add one record to /etc/hosts in the VM for a client
 - <the IP Address of the server> www.alice.com

5. [Client] Insert the kernel module into the client's VM
 - cd module
 - make
 - sudo insmod interceptor.ko

6. [Client] Execute the craft netfilter application
 - cd craft
 - make
 - sudo ./craft

7. [Client] Execute the client application
 - cd apps
 - ./client.sh www.alice.com 7000 index.html
File Snapshot

 [4.0K]  /data/pocs/96007ebca14bba81b0adceade4fae62f30f652c8
├── [4.0K]  apps
│   ├── [9.3K]  client.c
│   ├── [ 552]  client.sh
│   ├── [ 945]  Makefile
│   ├── [ 214]  README
│   ├── [ 14K]  server.c
│   ├── [ 498]  server.sh
│   └── [4.0K]  www.alice.com
│       ├── [2.8K]  alice_ecc_256_cert.crt
│       ├── [ 302]  alice_ecc_256_priv.key
│       ├── [ 964]  ca_ecc_alice.pem
│       ├── [ 695]  cert.der
│       ├── [ 16M]  index.html
│       ├── [ 121]  priv.der
│       └── [  10]  test.html
├── [4.0K]  craft
│   ├── [4.9K]  craft.c
│   ├── [ 571]  Makefile
│   ├── [ 11K]  tcpopt.c
│   └── [1.9K]  tcpopt.h
├── [4.0K]  include
│   ├── [1.7K]  debug.h
│   ├── [ 167]  defines.h
│   ├── [1.1K]  kdebug.h
│   └── [4.0K]  openssl
│       ├── [ 20K]  aead.h
│       ├── [7.1K]  aes.h
│       ├── [4.7K]  arm_arch.h
│       ├── [ 37K]  asn1.h
│       ├── [ 892]  asn1_mac.h
│       ├── [ 28K]  asn1t.h
│       ├── [8.2K]  base64.h
│       ├── [ 16K]  base.h
│       ├── [ 36K]  bio.h
│       ├── [4.0K]  blowfish.h
│       ├── [ 46K]  bn.h
│       ├── [ 891]  buffer.h
│       ├── [5.6K]  buf.h
│       ├── [ 23K]  bytestring.h
│       ├── [4.3K]  cast.h
│       ├── [1.5K]  chacha.h
│       ├── [ 25K]  cipher.h
│       ├── [3.1K]  cmac.h
│       ├── [6.8K]  conf.h
│       ├── [7.1K]  cpu.h
│       ├── [4.8K]  crypto.h
│       ├── [8.2K]  curve25519.h
│       ├── [7.9K]  des.h
│       ├── [ 11K]  dh.h
│       ├── [ 13K]  digest.h
│       ├── [ 19K]  dsa.h
│       ├── [ 873]  dtls1.h
│       ├── [4.9K]  ecdh.h
│       ├── [8.3K]  ecdsa.h
│       ├── [ 17K]  ec.h
│       ├── [ 14K]  ec_key.h
│       ├── [3.6K]  engine.h
│       ├── [ 900]  e_os2.h
│       ├── [ 19K]  err.h
│       ├── [ 39K]  evp.h
│       ├── [8.9K]  ex_data.h
│       ├── [2.6K]  hkdf.h
│       ├── [7.5K]  hmac.h
│       ├── [ 863]  is_boringssl.h
│       ├── [7.6K]  lhash.h
│       ├── [9.7K]  lhash_macros.h
│       ├── [ 10K]  logs.h
│       ├── [3.3K]  logs.h.bak
│       ├── [4.4K]  md4.h
│       ├── [4.4K]  md5.h
│       ├── [6.3K]  mem.h
│       ├── [145K]  nid.h
│       ├── [ 891]  objects.h
│       ├── [10.0K]  obj.h
│       ├── [ 891]  obj_mac.h
│       ├── [2.0K]  opensslconf.h
│       ├── [ 894]  opensslv.h
│       ├── [ 892]  ossl_typ.h
│       ├── [ 16K]  pem.h
│       ├── [ 893]  pkcs12.h
│       ├── [7.8K]  pkcs7.h
│       ├── [ 12K]  pkcs8.h
│       ├── [2.0K]  poly1305.h
│       ├── [3.8K]  pool.h
│       ├── [4.5K]  rand.h
│       ├── [3.9K]  rc4.h
│       ├── [4.6K]  ripemd.h
│       ├── [ 34K]  rsa.h
│       ├── [ 873]  safestack.h
│       ├── [10.0K]  sha.h
│       ├── [6.1K]  span.h
│       ├── [ 891]  srtp.h
│       ├── [ 14K]  ssl3.h
│       ├── [232K]  ssl.h
│       ├── [ 23K]  stack.h
│       ├── [ 819]  sys_timer.h
│       ├── [8.1K]  thread.h
│       ├── [ 29K]  tls1.h
│       ├── [4.1K]  type_check.h
│       ├── [ 48K]  x509.h
│       ├── [ 28K]  x509v3.h
│       └── [ 29K]  x509_vfy.h
├── [ 650]  kernel.md
├── [4.0K]  lib
│   ├── [3.4M]  libcrypto.so
│   └── [5.4M]  libssl.so
├── [4.0K]  module
│   ├── [3.4K]  catcher.c
│   └── [ 296]  Makefile
├── [ 723]  README.md
├── [1.9K]  sack-debug.diff
└── [4.0K]  scripts
    └── [ 445]  gen_contents.py

8 directories, 105 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →