Sec, blogmal! - tidbits - presto



April '18



Sun, 11 Sep 2005

Writing to /dev/kmem for fun and profit

I have just updated presto, the tool to modify the UID (and EUID) of any running process to FreeBSD-5. Get it here if you want.

I originally wrote it about 8 years ago after a dispute about the fact that write access to /dev/kmem is as good as root access. Someone said, that this might well be true, but it would be too complicated for the average user to exploit that.

To prove my point that it wasn't difficult at all I wrote a small hack as a proof of concept which modified the UID of a running process. I simply took a copy of ps and libkvm (which already do a nice job of finding the UID in memory) and patched them to write another value back. I got it to work without a single crash of FreeBSD ;)

As I found out, that this program also is a nice helper if you start to edit a file without the proper write permissions. Simply promote that editor to root, and write that file ;) - Because presto now defaults to modifying its parent process, it is as simple as typing :!sudo presto from inside a vi.

The distribution archive also comes with patches for older FreeBSD versions, simply do a make distclean && make to make it fetch and patch your installed libkvm sources.

– Sec

posted at: 12:05 | Category: /tidbits | permanent link to this entry | 3 comments (trackback)

Your Comment
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Save my Name and URL/Email for next time
(Note that comments will be rejected unless you enter 42 in the following box: )

powered by blosxom
in 1.00 s