diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 20:52:59 -0500 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-27 20:52:59 -0500 |
commit | 19e04e2be9f96d27160bbccc9da952828bf161af (patch) | |
tree | c65bbeda9948beadd24efc16155d51bafed35d75 | |
parent | Print to stdout, not stderr. (diff) | |
download | CVE-2008-5736-19e04e2be9f96d27160bbccc9da952828bf161af.tar.xz CVE-2008-5736-19e04e2be9f96d27160bbccc9da952828bf161af.zip |
Add l33t comment.
-rw-r--r-- | current-thread-exec.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/current-thread-exec.c b/current-thread-exec.c index 7661fb3..53fa5ee 100644 --- a/current-thread-exec.c +++ b/current-thread-exec.c @@ -1,3 +1,41 @@ +/* + * This is an exploit for CVE-2008-5736, the FreeBSD protosw + * and loosely based on Don Bailey's 2008 exploit - + * http://www.exploit-db.com/exploits/7581/ . The thing with + * Don's exploit is that it relies on having a known location + * of allproc, which means having access to the kernel or + * debugging symbols, either of which might not be available. + * Initial attempts included a general memory search for some + * characteristics of allproc, but this was difficult to make + * reliable. This solution here is a much more standard - get + * the current thread, change its permissions, and execl to + * shell. Additionally, it breaks out of chroots and freebsd + * jails by reparenting to pid 1 and copying its fds. + * + * This reliably works on kernels on or below 6.4-RELEASE: + * + * $ gcc a.c + * $ ./a.out + * ~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~ + * ~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~ + * ~~~~~ greetz to don bailey, edemveiss ~~~~~ + * + * [+] mmapping null page + * [+] adding jmp to pwnage in null page + * [+] opening netgraph socket + * [+] triggering null dereference + * [+] elevating permissions + * [+] got root! + * # + * + * It's an oldie, but simple enough that someone needed + * to write another PoC exploit at some point. + * + * cheers, + * zx2c4, 27-2-2011 + * + */ + #define _KERNEL #include <sys/types.h> #include <sys/time.h> |