Bugtraq: Linux kernel do_brk(), another proof-of-concept code for i386

[Julien TINNES <julien () cr0 org>]

There were complains that previous POC wasn't working on some kernels, and I 
even saw a guy on IRC asking about POC using a different method.

The previous version was relying on the Linux ELF loader to call do_brk for 
us. This one uses sys_brk(), but to bypass a check of available memory in 
sys_brk we still have to map our code high in memory (but not past 
PAGE_OFFSET this time).

To be able to call sys_brk with success we had to make sure the stack was'nt 
above our program (in most case we have to move it).

Then you can easily crash your system (do a fork(), clone(), execve()...), 
doing something else is'nt trivial :p

Use NASM 0.98.38 or higher to compile.

Julien TINNES

Attachment: brk_poc_sys_brk.asm
Description: