http://hup.hu/node/125059


this freebsd ptrace/mmap exploit is brilliant.  perhaps one of my fave
ever.  it took me a while to understand wtf is happening.  i believe it is
something like this:

exploit binary is fairly simple.

- first thing it does is check if it is root, and if so, exec /bin/sh.

- second thing is the process maps both itself and some setuid-root
binary with read-perms into it's address space, using MAP_SHARED, which
means everyone will see changes made.

- third thing it does is fork(), and the child calls ptrace PT_TRACE_ME,
and exits.  because of PT_TRACE_ME, the child hangs at exit for the
parent to attach.

- fourth thing is the parent performs a ptrace IO operation on the
mapped address of itself to the mapped address of the target setuid root
binary.  this is where the bug is -- that should fail to write to a
region mapped read only.  so effectively, it replaces the setuid binary
text with the exploit binary in memory.

- final thing it does is exec the target setuid binary.  which happens to
now be the exploit text...and then the first thing it does again, which is
to exec /bin/sh if root.


special thanks to Christoph Badura for helping me figure out all the
(guessed) details for how this exploit works.