Bugtraq mailing list archives
Linux kernel do_brk(), another proof-of-concept code for i386
From: Julien TINNES <julien () cr0 org>
Date: Thu, 4 Dec 2003 16:35:43 +0100
There were complains that previous POC wasn't working on some kernels, and I even saw a guy on IRC asking about POC using a different method. The previous version was relying on the Linux ELF loader to call do_brk for us. This one uses sys_brk(), but to bypass a check of available memory in sys_brk we still have to map our code high in memory (but not past PAGE_OFFSET this time). To be able to call sys_brk with success we had to make sure the stack was'nt above our program (in most case we have to move it). Then you can easily crash your system (do a fork(), clone(), execve()...), doing something else is'nt trivial :p Use NASM 0.98.38 or higher to compile. Julien TINNES
Attachment:
brk_poc_sys_brk.asm
Description:
Current thread:
- Linux kernel do_brk(), another proof-of-concept code for i386 Julien TINNES (Dec 04)