uncompiled.com

For those who were not yet aware, there is at least 3 public exploits since 11/05/2009 for CVE-2009-3547 targeting *all* linux kernels from 2.6.0 to 2.6.31 included. Since spender and fotis have already release their own, there is not need for us to keep this on our hd.

ImpelDown.c is a poc trying to exploit null ptr dereference in fs/pipe.c for *all* linux kernel from 2.6.0 to 2.6.31 and ImpelDown-2.6.31only.c target only linux kernel version 2.6.31 (tested and approuved with mmap_min_addr at 0).

If you were writing your own, you have already noticed that there is a subtle difference in the way you can own kernels 2.6.0 up to 2.6.10 and kernels 2.6.11 up to 2.6.31: in the first one the null ptr deref leads to an arbitrary write to everywhere in the kernel since you have control over the destination address of

linux2.6.9/fs/pipe.c

…
219 if (pipe_iov_copy_from_user(pipebuf, iov, chars)) {
…
In such case, we try to exploit this by overwriting and old and obsolete syscall address in the sys_call_table by our privilege escalator function address (hehe old school trickz are always the best).

In kernels 2.6.11 up to 2.6.31, exploitation simply resume in mapping the correct struct pipe_inode_info at NULL and the kernel will call a fptr under our control at inode->i_pipe->bufs[1-16].ops->something()

You can find exploits at http://www.vxhell.org/~teach/exploits/ImpelDown.c and http://www.vxhell.org/~teach/exploits/ImpelDown-2.6.31only.c. The first one wasn’t tested but the second would work for the given kernel (according to your mmap_min_addr)

Source