Re: A puzzle: CAPZLOQ TEKNIQ 1.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>The cross-platform viral proof-of-concept in the news last week does
>>indeed infect both Windows and Linux ELF binaries.  At least it does on
>>some kernels.  Some tests show it doesn't work on the latest versions.
>>
>>Hans-Werner Hilse is trying to puzzle out why.  If anyone else wants to
>>play with it and see if they can figure out why it is sometimes viral on
>>Linux and sometimes not, drop me a note offlist.
>

>From LWN/Newsforge:

--->2.6.15.4
[0804744d] open("E", O_RDWR) = 4
...
[0804747e] old_mmap(NULL, 28672, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0) = 
0xb7fca000
--->2.6.16.2:
[0804744d] open("E", O_RDWR) = 4
...
[0804747e] old_mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_SHARED, 1, 0) = 
-1 ENODEV (No such device)


Simple as that. open() returns fd 4, but old_mmap is called with fd 1, 
which is usually stdout. Looks to me like a userspace problem.


Jan Engelhardt
-- 
| Software Engineer and Linux/Unix Network Administrator
| Alphagate Systems, http://alphagate.hopto.org/
| jengelh's site, http://jengelh.hopto.org/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux