lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200312041635.43654.julien@cr0.org>
Date: Thu, 4 Dec 2003 16:35:43 +0100
From: Julien TINNES <julien@....org>
To: bugtraq@...urityfocus.com
Subject: Linux kernel do_brk(), another proof-of-concept code for i386

There were complains that previous POC wasn't working on some kernels, and I 
even saw a guy on IRC asking about POC using a different method.

The previous version was relying on the Linux ELF loader to call do_brk for 
us. This one uses sys_brk(), but to bypass a check of available memory in 
sys_brk we still have to map our code high in memory (but not past 
PAGE_OFFSET this time).

To be able to call sys_brk with success we had to make sure the stack was'nt 
above our program (in most case we have to move it).

Then you can easily crash your system (do a fork(), clone(), execve()...), 
doing something else is'nt trivial :p

Use NASM 0.98.38 or higher to compile.

Julien TINNES

View attachment "brk_poc_sys_brk.asm" of type "text/plain" (3298 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ