http://groups.google.com/group/android-kernel/browse_thread/thread/497ba1a48c3cd710
原因在這
http://lwn.net/Articles/342330/
http://xorl.wordpress.com/2009/08/18/cve-2009-2692-linux-kernel-proto_ops-null-pointer-dereference/
http://www.securityfocus.com/archive/1/archive/1/505751/100/0/threaded
第二個link http://xorl.wordpress.com/2009/08/18/cve-2009-2692-linux-kernel-proto_ops-null-pointer-dereference/
有講到三個hack
http://go2.wordpress.com/?id=725X1342&site=xorl.wordpress.com&url=http%3A%2F%2Fwww.grsecurity.net%2F~spender%2Fwunderbar_emporium.tgz&sref=http%3A%2F%2Fxorl.wordpress.com%2F2009%2F08%2F18%2Fcve-2009-2692-linux-kernel-proto_ops-null-pointer-dereference%2F
這用了
oxff
0x25
0xff 0x25其實就是jmp的opcode
找個例子 objdump -D 就看出來了
http://go2.wordpress.com/?id=725X1342&site=xorl.wordpress.com&url=http%3A%2F%2Fwww.frasunek.com%2Fproto_ops.tgz&sref=http%3A%2F%2Fxorl.wordpress.com%2F2009%2F08%2F18%2Fcve-2009-2692-linux-kernel-proto_ops-null-pointer-dereference%2F
這用了0x90 0xe9
跟最後一個比較簡單的
http://go2.wordpress.com/?id=725X1342&site=xorl.wordpress.com&url=http%3A%2F%2Fmilw0rm.com%2Fsploits%2Fandroid-root-20090816.tar.gz&sref=http%3A%2F%2Fxorl.wordpress.com%2F2009%2F08%2F18%2Fcve-2009-2692-linux-kernel-proto_ops-null-pointer-dereference%2F
No comments:
Post a Comment