-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation module #11092
Conversation
@msjenkins-r7 test this please. |
Closer inspection reveals this exploit was likely stolen from @iZsh from fail0verflow. CurcolHekerLink's exploit was posted to EDB in 2013. iZsh's exploit and accompanying analysis is very similar and predates the exploit by about a year:
The original blog publish date is 2012-07-05. The Web Archive page does not have a backup from this date, but the YouTube video confirms the date, as does the commit date on GitHub. Unfortunately, the exploit is not licensed, and the copyright infringement punishment is undesirable: // CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
// Copyright 2012 all right reserved, not for commercial uses, bitches
// Infringement Punishment: Monkeys coming out of your ass Bruce Almighty style. I would prefer to use the original work. I've updated the module in my local repo, and asked iZsh for permission to use the original exploit. Adding |
Adding |
Sorry, i hadn't noticed your email. Your fear of my license punishment made my day ;-) You have my approval to use my exploit in metasploit. |
This is the best! |
Darn it, I started checking this earlier, verified it works, but got distracted before landing. Moving forward with that now. Thanks @bcoles |
Release NotesThe freebsd/local/intel_sysret_priv_esc exploit module has been added to the framework. This local privilege escalation exploit module targets a vulnerability in the FreeBSD kernel when running on 64-bit Intel processors, leveraging a mishandled edge cases with the SYSRET instruction. |
And just as a verification that this does indeed upgrade the privileges of the current task, here's before and after running
|
Add FreeBSD 9 Intel SYSRET Privilege Escalation module.
Lazy wrapper for
CurcolHekerLink'siZsh's exploit. I realize we already have themmap
exploit, which covers FreeBSD 9.0 and 9.1, but it's nice to have options.The payload isn't strictly required. The exploit upgrades the privileges of the current task, and by the time the payload executes we're already
root
. Given that there's no Meterpreter for BSD, this should never be a problem.