[Full-Disclosure] Re: Linux kernel do_mremap() proof-of-concept exploit code

Pierre BETOUIN info16 at ifrance.com
Tue Jan 6 22:57:05 GMT 2004 

That's true. The piece of vulnerable code is here :

#ifdef CONFIG_GRKERNSEC_PAX_SEGMEXEC
                if (current->flags & PF_PAX_SEGMEXEC) {
                        if (new_len > SEGMEXEC_TASK_SIZE || new_addr
					> SEGMEXEC_TASK_SIZE-new_len)
                        goto out;
                } else
#endif  

The PoC can be easily adapted.

	Pierre

Le mar 06/01/2004 à 21:34, backblue a écrit :
> On Tue, 6 Jan 2004 11:47:26 -0700
> "Epic" <epic at hack3r.com> wrote:
> 
> > I too tested it on my 2.4.23 kernel with grsec, and nothing.
> > 
> > 
> > ----- Original Message ----- 
> > From: "Daniel Husand" <io at naiv.us>
> > To: <full-disclosure at lists.netsys.com>
> > Sent: Tuesday, January 06, 2004 10:54 AM
> > Subject: [Full-Disclosure] Re: Linux kernel do_mremap() proof-of-concept
> > exploit code
> > 
> > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Christophe Devine wrote:
> > >
> > > | The following program can be used to test if a x86 Linux system
> > > | is vulnerable to the do_mremap() exploit; use at your own risk.
> > > |
> > > | $ cat mremap_poc.c
> > > |
> > >
> > > This didnt do anything on my 2.4.23-grsec kernel.
> > >
> > > - --
> > > Daniel
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.2.3 (MingW32)
> > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> > >
> > > iD8DBQE/+vZz1PIgHh6MkiIRAiqNAKCiuyxtA9rgaAS+eT3o9ATvLE7EuQCeJAZP
> > > Xf8JIDehgtGba4b1Eb2Qv0w=
> > > =xyYM
> > > -----END PGP SIGNATURE-----

-- 
Pierre BETOUIN
	http://securitech.homeunix.org
	http://www.challenge-securitech.com
GnuPG key : E7AD 29A1 7345 5BA0 9469  DE62 2CD5 9242 94D9 CB23
lynx -dump securitech.homeunix.org/pbetouin.asc | gpg --import
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040106/d09b11ed/attachment.bin

Full-Disclosure is hosted and sponsored by Secunia.