Search the Community
Showing results for tags 'freebsd'.
-
Exploits FreeBSD rtld execl() Privilege Escalation
1337day-Exploits posted a topic in Updated Exploits
This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution. View the full article -
Exploits FreeBSD Intel SYSRET Privilege Escalation
1337day-Exploits posted a topic in Updated Exploits
This Metasploit module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution. View the full article