This failed with 2.6.23 on x86_64. Get some nice output though: ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x100000000000 .. 0x100000001000 [+] page: 0x100000000000 [+] page: 0x100000000038 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4038 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0x2afd84834000 .. 0x2afd84866000 Killed
On the other hand, 32 bit 2.6.23.1 is successful. ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e37000 .. 0xb7e69000 [+] root I wonder if 64 bit is immune. Dan Michael ODonnell wrote: > >> On Feb 10, 2008 7:48 PM, Bill Sconce <[EMAIL PROTECTED]> wrote: >>> [ I just compiled and tried it. Sure enough, the program below, >>> run from user mode, gets a root shell. Yike.] >> I just tried this on Ubuntu-Server (7.04) and it didn't work. Running >> 2.6.20-16-server > > This worked with my 2.6.22 kernel as well as on a 2.6.18-4-k7 kernel. > It did not work on the RHEL3 system where I tried it because the 2.4 > kernels don't have the vmsplice facility being exploited: > > http://en.wikipedia.org/wiki/Splice_%28system_call%29 > http://kerneltrap.org/node/6505 > > _______________________________________________ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/