[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1073429825.6468.67.camel@unsigned.local.fr>
From: info16 at ifrance.com (Pierre BETOUIN)
Subject: Re: Linux kernel do_mremap()
proof-of-concept exploit code
That's true. The piece of vulnerable code is here :
#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
if (current->flags & PF_PAX_SEGMEXEC) {
if (new_len > SEGMEXEC_TASK_SIZE || new_addr
> SEGMEXEC_TASK_SIZE-new_len)
goto out;
} else
#endif
The PoC can be easily adapted.
Pierre
Le mar 06/01/2004 ? 21:34, backblue a ?crit :
> On Tue, 6 Jan 2004 11:47:26 -0700
> "Epic" <epic@...k3r.com> wrote:
>
> > I too tested it on my 2.4.23 kernel with grsec, and nothing.
> >
> >
> > ----- Original Message -----
> > From: "Daniel Husand" <io@...v.us>
> > To: <full-disclosure@...ts.netsys.com>
> > Sent: Tuesday, January 06, 2004 10:54 AM
> > Subject: [Full-Disclosure] Re: Linux kernel do_mremap() proof-of-concept
> > exploit code
> >
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Christophe Devine wrote:
> > >
> > > | The following program can be used to test if a x86 Linux system
> > > | is vulnerable to the do_mremap() exploit; use at your own risk.
> > > |
> > > | $ cat mremap_poc.c
> > > |
> > >
> > > This didnt do anything on my 2.4.23-grsec kernel.
> > >
> > > - --
> > > Daniel
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.3 (MingW32)
> > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> > >
> > > iD8DBQE/+vZz1PIgHh6MkiIRAiqNAKCiuyxtA9rgaAS+eT3o9ATvLE7EuQCeJAZP
> > > Xf8JIDehgtGba4b1Eb2Qv0w=
> > > =xyYM
> > > -----END PGP SIGNATURE-----
--
Pierre BETOUIN
http://securitech.homeunix.org
http://www.challenge-securitech.com
GnuPG key : E7AD 29A1 7345 5BA0 9469 DE62 2CD5 9242 94D9 CB23
lynx -dump securitech.homeunix.org/pbetouin.asc | gpg --import
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040106/d09b11ed/attachment.bin
Powered by blists - more mailing lists