# FreeBSD mmap and ptrace privilege escalation



## robbtek (Jun 25, 2013)

I've found this two code for privilege escalation. I've tested on FreeBSD 10 and it works fine_!_ x(


```
[user@freebsd10 ~]$ uname -a
FreeBSD freebsd10 10.0-CURRENT FreeBSD 10.0-CURRENT
```

Info: http://www.mondounix.com/freebsd-mmap-privilege-escalation/
Advisory*:* http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc

Test*:*


```
[user@freebsd10 ~]$ ./b
[+] Saved old '/sbin/ping'
[+] Using mmap-ed area at 0x801000000
[+] Attached to 1264
[+] Copied 7435 bytes of payload to '/sbin/ping'
[+] Triggering payload

# id
uid=0(root) gid=0(wheel)
# exit
[+] Restoring '/sbin/ping'
[+] Done
```

Code*:* http://www.mondounix.com/freebsd-9-0-9-1-mmap-ptrace-exploit/


```
[user@freebsd10 ~]$ ./c
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger <fbsd9lul@hunger.hu>
# id
uid=0(root) gid=0(wheel)
```


----------



## Anonymous (Jun 25, 2013)

I don't know for FreeBSD 10, however, this has been addressed in a recent update of FreeBSD 9.1-RELEASE. We are at patch level 4 now. See chapter "VI.  Correction details" in the advisory that you gave a link to.


----------



## robbtek (Jun 25, 2013)

I've ma_d_e a backup of _the_ system (_it_ is a test virtual machine) and try to apply patch and rebuild kernel*.*


----------



## robbtek (Jun 26, 2013)

According to advisory http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc, I've appl_ied a_ patch and rebuil_t the_ kernel on my FreeBSD 10.0 CURRENT. It works fine.

http://www.mondounix.com/freebsd-mmap-privilege-escalation/

```
[user@freebsd10 ~]$ ./b
[+] Saved old '/sbin/ping'
[+] Using mmap-ed area at 0x801000000
[+] Attached to 2040
[-] ptrace(PT_WRITE_D) failed: Bad address
```
http://www.mondounix.com/freebsd-9-0-9-1-mmap-ptrace-exploit/

```
[user@freebsd10 ~]$ ./c
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger <fbsd9lul@hunger.hu>
c: ptio: Bad address
```
I've writ_t_e_n_ an article with all command_s_ that I've use_d_ (sorry_, it_ is in not _in E_nglish): http://www.mondounix.com/freebsd-ricompilare-kernel-per-correggere-la-vulnerabilita-di-mmap-ptrace/


----------

