[Full-Disclosure] Linux kernel do_brk(), another proof-of-concept code for i386
Date: Thu Dec 04 2003 - 09:55:35 CST
There were complains that previous POC wasn't working on some kernels, and I
even saw a guy on IRC asking about POC using a different method.
The previous version was relying on the Linux ELF loader to call do_brk for
us. This one uses sys_brk(), but to bypass a check of available memory in
sys_brk we still have to map our code high in memory (but not past
PAGE_OFFSET this time).
To be able to call sys_brk with success we had to make sure the stack was'nt
above our program (in most case we have to move it).
Then you can easily crash your system (do a fork(), clone(), execve()...),
doing something else is'nt trivial :p
Use NASM 0.98.38 or higher to compile.
Julien TINNES
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- text/plain attachment: brk_poc_sys_brk.asm
This archive was generated by hypermail 2.1.8 : Thu Dec 04 2003 - 11:01:00 CST
