Hi Wang... Sorry for my misinterpretation... 2009/8/28 fisherman <ipconfigme@xxxxxxxxx>: > BUT exploit.c is compiled in userspace. > The memset() is the symbol in glibc NOT in kernel. > > Disassemble Code: > 0x08048a33 <give_it_to_me_any_way_you_can+223>: movl $0x1,0x804a7d4 > 0x08048a3d <give_it_to_me_any_way_you_can+233>: movl $0x20,0x8(%esp) the way I see it and after re-reading your question (plus reading the exploit code the best I can), here's what I can say: it can call normal glibc function because the exploit is indeed normal user space application. However, it is placed to mmapped() pages where its priviliege is already "lifted" as kernel mode pages. The key here is ...I believe, is using the same technique explained by Brad Spengler (or spender? that grsecurity guy..) which exploit the weaknesses in SELinux minimum mappable address and failure to check NULL pointer in tun.c (and probably in other unchecked codes in kernel code as well...). -- regards, Mulyadi Santosa Freelance Linux trainer blog: the-hydra.blogspot.com -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
