-
FreeBSD Intel SYSRET Privilege Escalation
Disclosure Date: 2012-06-12First seen: 2020-04-26exploit/freebsd/local/intel_sysret_priv_escThis module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution. This module has been tested successfully on: FreeBSD 8.3-RELEASE (amd64); and FreeBSD 9.0-RELEASE (amd64). Authors: - Rafal Wojtczuk - John Baldwin - iZsh - bcoles <bcoles@gmail.com> -
FreeBSD rtld execl() Privilege Escalation
Disclosure Date: 2009-11-30First seen: 2020-04-26exploit/freebsd/local/rtld_execl_priv_escThis module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld `unsetenv()` function fails to remove `LD_*` environment variables if `__findenv()` fails. This can be abused to load arbitrary shared objects using `LD_PRELOAD`, resulting in privileged code execution. This module has been tested successfully on: FreeBSD 7.2-RELEASE (amd64); and FreeBSD 8.0-RELEASE (amd64). Authors: - Kingcope - stealth - bcoles <bcoles@gmail.com> -
FreeBSD rtld execl() Privilege Escalation
Disclosure Date: 2009-11-30First seen: 2020-04-26exploit/freebsd/local/rtld_execl_priv_escThis module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld `unsetenv()` function fails to remove `LD_*` environment variables if `__findenv()` fails. This can be abused to load arbitrary shared objects using `LD_PRELOAD`, resulting in privileged code execution. This module has been tested successfully on: FreeBSD 7.2-RELEASE (amd64); and FreeBSD 8.0-RELEASE (amd64). Authors: - Kingcope - stealth - bcoles <bcoles@gmail.com>
3 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details