http://hup.hu/node/125059 this freebsd ptrace/mmap exploit is brilliant. perhaps one of my fave ever. it took me a while to understand wtf is happening. i believe it is something like this: exploit binary is fairly simple. - first thing it does is check if it is root, and if so, exec /bin/sh. - second thing is the process maps both itself and some setuid-root binary with read-perms into it's address space, using MAP_SHARED, which means everyone will see changes made. - third thing it does is fork(), and the child calls ptrace PT_TRACE_ME, and exits. because of PT_TRACE_ME, the child hangs at exit for the parent to attach. - fourth thing is the parent performs a ptrace IO operation on the mapped address of itself to the mapped address of the target setuid root binary. this is where the bug is -- that should fail to write to a region mapped read only. so effectively, it replaces the setuid binary text with the exploit binary in memory. - final thing it does is exec the target setuid binary. which happens to now be the exploit text...and then the first thing it does again, which is to exec /bin/sh if root. special thanks to Christoph Badura for helping me figure out all the (guessed) details for how this exploit works.