I failed to crash any of my test systems with that exploit, hardened or not. And no-one else seems to have confirmed that it does work. I can however crash x86_64 systems with another unfixed bug (up to 2.6.12-rc4).
Antoine On Fri, 2005-05-13 at 15:09 +0100, Pedro Venda wrote: > hi everyone, > > Has anyone got a clue on how should the proof of concept code behave on > vulnerable and not vulnerable machines? > > On a PaX+grsecurity hardened server, it outputs: > > [+] ./elfcd1 argv_start=0xb47b23d4 argv_end=0xb47b23dc ESP: 0xb47b1890 > [+] phase 1 > [+] AAAA argv_start=0xb5e0442e argv_end=0xb5e04432 ESP: 0xb5e03930 > [+] phase2, <RET> to crash Killed > > and doesn't core-dump. Also it doesn't warn about the segmentation violation > process in the logs... > > On my laptop, a test server and 2 other workstations (standard 2.6.11.5-8 > kernels) results are consistent but different from the hardened server: > [EMAIL PROTECTED] test $ ./elfcd1 > > [+] ./elfcd1 argv_start=0xbfffeff7 argv_end=0xbfffefff ESP: 0xbfffedb0 > [+] phase 1 > [+] AAAA argv_start=0xbfff6fee argv_end=0xbfff6ff2 ESP: 0xbfff6e80 > [+] phase 2, <RET> to crash Segmentation fault (core dumped) > > and core-dumps. > > any help? is the hardened server secure? I suppose so, since it didn't core > dump. > > regards, > pedro venda. -- [email protected] mailing list
