The bug was found in early december 2020, not by me, but a genius who looked 15mins at fbsd and immediately spotted it 🙇♂️. This c++ impl was made when experimenting with increasing exploit reliability after ps5 kernel added some heap randomization features.
wget http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/VM-IMAGES/11.0-RELEASE/amd64/Latest/FreeBSD-11.0-RELEASE-amd64.vhd.xz
in the vm: adduser
, add sshd_enable="YES"
to /etc/rc.conf
, /etc/rc.d/sshd start
build ON THE VM because the freebsd build system is incompatible with non-freebsd systems (they enabled compat around fbsd 12/13 but we need 11...)
see https://docs.freebsd.org/en/books/handbook/kernelconfig/ or just:
cd /usr/src/sys/amd64/conf
cp GENERIC /root/CONFIG
ln -s /root/CONFIG
edit CONFIG to remove options DDB
and add options GDB
build and install:
cd /src/src
make buildkernel KERNCONF=CONFIG
make installkernel KERNCONF=CONFIG
reboot
copy /usr/obj/usr/src/sys/CONFIG/kernel.debug
out of the vm for use with gdb.
git clone -b releng/11.0 https://github.com/freebsd/freebsd.git
fetch latest from https://ftp.gnu.org/gnu/gdb/ and unpack
mkdir build
cd build
../configure --disable-binutils --disable-ld --disable-gold --disable-gas --disable-sim --disable-gprof --target=x86_64-unknown-freebsd
make -j64
use https://github.com/cyrus-and/gdb-dashboard
set substitute-path /usr/src /home/shawn/freebsd
set disassembly-flavor intel
file kernel.debug
target remote /tmp/fbsd11
https://github.com/weltling/convey https://github.com/jstarks/npiperelay
#!/bin/sh
GDB_PATH=/home/shawn/gdb-10.1/build/gdb
PATH=$GDB_PATH:$PATH
gdb --data-directory=/home/shawn/gdb-10.1/build/gdb/data-directory
in vm:
sysctl debug.kdb.enter=1