Linux kernel pipe NULL pointer dereference exploit (CVE-2009-3547)
Another exploit for the kernel pipe NULL pointer dereference bug. This one is inspired by Spender‘s great work for his enlightenment framework. It seems to exist at every 2.6 and 2.4 kernel version I’ve tested! Another sock_sendpage maybe? This sample exploit only works for versions >= 2.6.17. You can download it here. As usual more information in the code. This time there are some funny quotes too! I haven’t done a lot of tests, so any feedback, and especially versions you have tested it and it worked, is welcome!
EDIT: New version is out. It adds support for the detection of kernels compiled with spinlock debugging options. Download it here.
Effort unique and pooped it from Spender ((rocks)) and fotis
I’m test on server 2.6.25 2008 >> We’ve got bush!
Thanks ag’ne
argp@yukio:~$ ./gayros
We got NULL page babe!
Using kernel version 2.6.24-1-686.
Found version 3 structure, doing our tricks in memory…
Go go go boy!
We’ve got bush!
\u@\h:\w$ id
uid=0(root) gid=0(root) groups=1000(argp)
Once again, nice work Fotis!
Fotis, it took 2 times to run in my fully up2date Ubuntu 9.04 box. Here is a paste:
thanasisk@OBRELA03:~/Desktop$ ./a.out
We got NULL page babe!
Using kernel version 2.6.28-16-generic.
Found version 3 structure, doing our tricks in memory…
Go go go boy!
thanasisk@OBRELA03:~/Desktop$ ./a.out
We got NULL page babe!
Using kernel version 2.6.28-16-generic.
Found version 3 structure, doing our tricks in memory…
Go go go boy!
.We’ve got bush!
#
@argp
Thanks!
@topolino
Use gcc gayros.c -o gayros! If you use COW creds then the binary MUST be named gayros!
Do you have any other posts relating to this?
What does it mean if the program responds with “mmap: Invalid argument” ?