Home > Exploits, Security > Linux kernel pipe NULL pointer dereference exploit (CVE-2009-3547)

Linux kernel pipe NULL pointer dereference exploit (CVE-2009-3547)

November 5th, 2009 Leave a comment Print Print Go to comments

Another exploit for the kernel pipe NULL pointer dereference bug. This one is inspired by Spender‘s great work for his enlightenment framework. It seems to exist at every 2.6 and 2.4 kernel version I’ve tested! Another sock_sendpage maybe? This sample exploit only works for versions >= 2.6.17. You can download it here. As usual more information in the code. This time there are some funny quotes too! I haven’t done a lot of tests, so any feedback, and especially versions you have tested it and it worked, is welcome!

EDIT: New version is out. It adds support for the detection of kernels compiled with spinlock debugging options. Download it here.

Categories: Exploits, Security Tags:
  1. L0v3r
    November 5th, 2009 at 04:37 | #1

    Effort unique and pooped it from Spender ((rocks)) and fotis

    I’m test on server 2.6.25 2008 >> We’ve got bush!

    Thanks ag’ne

  2. argp
    November 5th, 2009 at 09:18 | #2

    argp@yukio:~$ ./gayros
    We got NULL page babe!
    Using kernel version 2.6.24-1-686.
    Found version 3 structure, doing our tricks in memory…
    Go go go boy!
    We’ve got bush!
    \u@\h:\w$ id
    uid=0(root) gid=0(root) groups=1000(argp)

    Once again, nice work Fotis!

  3. November 5th, 2009 at 11:02 | #3

    Fotis, it took 2 times to run in my fully up2date Ubuntu 9.04 box. Here is a paste:

    thanasisk@OBRELA03:~/Desktop$ ./a.out
    We got NULL page babe!
    Using kernel version 2.6.28-16-generic.
    Found version 3 structure, doing our tricks in memory…
    Go go go boy!

    thanasisk@OBRELA03:~/Desktop$ ./a.out
    We got NULL page babe!
    Using kernel version 2.6.28-16-generic.
    Found version 3 structure, doing our tricks in memory…
    Go go go boy!
    .We’ve got bush!
    #

  4. Fotis
    November 5th, 2009 at 20:01 | #4

    @argp
    Thanks!

    @topolino
    Use gcc gayros.c -o gayros! If you use COW creds then the binary MUST be named gayros!

  5. Kimberlie
    December 8th, 2009 at 10:58 | #5

    Do you have any other posts relating to this?

  6. May 22nd, 2010 at 01:25 | #6

    What does it mean if the program responds with “mmap: Invalid argument” ?

  1. November 5th, 2009 at 13:56 | #1

This site is using OpenAvatar based on

*

SEO Powered by Platinum SEO from Techblissonline
%d bloggers like this:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close