Linux uses PIDs sequentially: if the last spawned process was assigned pid N, then the next spawned process will be assigned pid N+1, starting from 1 and wrapping to 300 at 32768. That means you can easily "guess" the PID of a kernel process: for example, spawn a child in your exploit program, then start the kernel process (eg. using a socket() call with an unused protocol, as seen in a few exploits), and the kernel process will _probably_ have a PID equal to the PID of the child plus one. Of course, this will go wrong when there is another process created in the meantime - and that is far from theoretical on a system with lots of activity. However, this is easy to detect, because the ptrace attach operation will fail in that case. Regards, David "Marcus Tangermann" wrote: > As far as I understand the problem with the ptrace bug in the linux > kernel you can ptrace a spawned process for module loading > before the EUID of the process (that is orginaly the same as > of the parent) is changed to 0. But how can I geht the PID of > the spawned process? > > Best regards > Marcus -- class sig{static void main(String[]s){for// D.C. van Moolenbroek (int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL) "Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-
This archive was generated by hypermail 2b30 : Mon Mar 24 2003 - 14:52:52 PST