Home
Latest images
Search
Register
Log inLinux 2.6.x fs/pipe.c local root exploit
Page 1 of 1
Linux 2.6.x fs/pipe.c local root exploit
andry Mon Nov 01, 2010 12:48 am
For those who were not yet aware, there is at least 3 public exploits
since 11/05/2009 for CVE-2009-3547 targeting *all* linux kernels from
2.6.0 to 2.6.31 included. Since spender and fotis have already release
their own, there is not need for us to keep this on our hd.
ImpelDown.c is a poc trying to exploit null ptr dereference in fs/pipe.c
for *all* linux kernel from 2.6.0 to 2.6.31 and ImpelDown-2.6.31only.c
target only linux kernel version 2.6.31 (tested and approuved with
mmap_min_addr at 0).
If you were writing your own, you have already noticed that there is a
subtle difference in the way you can own kernels 2.6.0 up to 2.6.10 and
kernels 2.6.11 up to 2.6.31: in the first one the null ptr deref leads
to an arbitrary write to everywhere in the kernel since you have control
over the destination address of
linux2.6.9/fs/pipe.c
More info and exploit http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-11/msg00105.html
since 11/05/2009 for CVE-2009-3547 targeting *all* linux kernels from
2.6.0 to 2.6.31 included. Since spender and fotis have already release
their own, there is not need for us to keep this on our hd.
ImpelDown.c is a poc trying to exploit null ptr dereference in fs/pipe.c
for *all* linux kernel from 2.6.0 to 2.6.31 and ImpelDown-2.6.31only.c
target only linux kernel version 2.6.31 (tested and approuved with
mmap_min_addr at 0).
If you were writing your own, you have already noticed that there is a
subtle difference in the way you can own kernels 2.6.0 up to 2.6.10 and
kernels 2.6.11 up to 2.6.31: in the first one the null ptr deref leads
to an arbitrary write to everywhere in the kernel since you have control
over the destination address of
linux2.6.9/fs/pipe.c
More info and exploit http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-11/msg00105.html
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» FreeBSD 8.0 local root exploit
» FreeBSD <= 6.1 Local Root Vulnerability
» FreeBSD 7.2 local root vulnerability (0day) demo
» Linux 2.6.30+/SELinux/RHEL5 test kernel 0day Exploit
» Recovering the MySQL root password
» FreeBSD <= 6.1 Local Root Vulnerability
» FreeBSD 7.2 local root vulnerability (0day) demo
» Linux 2.6.30+/SELinux/RHEL5 test kernel 0day Exploit
» Recovering the MySQL root password
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|