- 论坛徽章:
- 0
|
本帖最后由 willcream 于 2015-09-20 13:16 编辑
最近在学习kernel的一个bug,但看了很久还是没理解到时如何利用这个bug的,希望有人能帮助解释一下。多谢了......- /*
- * pwned.c - linux 2.4 and 2.6 sys_uselib local root exploit. PRIVATE.
- * it's not the best one, the ldt approach is definitively better.
- * discovered may 2004. no longer private because lorian/cliph/ihaquer
- * can lick my balls.
- * (c) 2004 sd <sd@fucksheep.org>
- * requieres cca 1gb on fs.
- */
-
-
- /*
- * first create fake vma structs.
- *
- *
- * let's have 3 threads, t1, t2 and t3.
- * t1 and t2 have common vm.
- *
- * t3:
- * - wait4sig (will come back from t2)
- * - write(fd3, bigmem, bigfile_size)
- * - exit()
- * t1:
- * - fd3 = empty file
- * - fd1 = bigfile, writing it took 16 secs
- * - bigmem = mmap(NULL, bigfile_size, fd1, 0);
- * - t3 = fork()
- * - t2 = clone()
- * - fd2 = munmap_file, size of ram.
- * - mumem = mmap(NULL, munmap_file_size, fd2)
- * - mmap(mumem, 4096, ANONYMOUS) // for extending do_brk check
- * - mmap lots of vmas
- * - close(fd2);
- * - create evil lib
- * - free lot of vmas
- * - sig @ t2
- * - evil_lib->do_munmap(mumem + 4096, munmap_file_size - 4096);
- * - sem = 1
- * - waitpid
- * t2:
- * - wait4sig
- * - sleep(100msec)
- * - mmap(mumem, fd3, 4096) // this is being protected by i_sem !
- * - sendsig @ t3
- * - sleep(100msec)
- * - if (sem) error
- * - msync(mumem, 8192) - will wait for write() to finish. munmap finishes by that
- * time
- * - if (!sem) error
- * - if it does return we failed, otherwise shell.
- *
- */
复制代码 |
|