{"id":5163,"date":"2026-05-10T22:24:19","date_gmt":"2026-05-10T22:24:19","guid":{"rendered":"https:\/\/xcode.or.id\/blog\/?p=5163"},"modified":"2026-05-12T14:45:42","modified_gmt":"2026-05-12T14:45:42","slug":"tebas-kernel-freebsd-reworking-exploit-calif-yang-broken-menjadi-weaponized","status":"publish","type":"post","link":"https:\/\/xcode.or.id\/blog\/index.php\/2026\/05\/10\/tebas-kernel-freebsd-reworking-exploit-calif-yang-broken-menjadi-weaponized\/","title":{"rendered":"Tebas Kernel FreeBSD: Reworking Exploit Calif yang &#8216;Broken&#8217; Menjadi Weaponized"},"content":{"rendered":"\n<h1><\/h1>\n\n\n\n<figure class=\"wp-block-image size-large\"><img src=\"https:\/\/xcode.or.id\/blog\/wp-content\/uploads\/2026\/05\/tebas-1024x821.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><em>(Analisis Kegagalan Eksekusi dan Teknik Bypass Mounting Proteksi)<\/em><\/p>\n\n\n\n<h3><strong>Pendahuluan<\/strong><\/h3>\n\n\n\n<p>Baru-baru ini saya melakukan pengujian keamanan pada target berbasis <strong>FreeBSD<\/strong>. Referensi utama saya adalah exploit milik <strong>Calif<\/strong> yang sudah cukup dikenal untuk <em>Local Privilege Escalation<\/em> (LPE). Namun, kenyataan di lapangan tidak semudah melakukan <em>copy-paste<\/em>. Exploit tersebut awalnya <strong>gagal total<\/strong> saat dijalankan di lingkungan target.<\/p>\n\n\n\n<p>Saya akhirnya menganalisa selama sekitar 4 jam dan melakukan <em>re-engineering<\/em> terhadap kode tersebut hingga akhirnya berhasil mendapatkan akses <code>root<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3><strong>Analisis Kegagalan: Mengapa Exploit Calif Tidak Jalan?<\/strong><\/h3>\n\n\n\n<p>Saat pertama kali di-<em>running<\/em>, exploit tidak memberikan respon yang diharapkan.  Setelah saya cek dengan perintah <code>mount<\/code>, ditemukan penyebabnya:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img src=\"https:\/\/xcode.or.id\/blog\/wp-content\/uploads\/2026\/05\/wih.png\" alt=\"\"\/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>data@data:\/tmp $ mount | grep \/tmp\nzroot\/var\/tmp on \/var\/tmp (zfs, local, noatime, nosuid, nfsv4acls)\nzroot\/tmp on \/tmp (zfs, local, noatime, nosuid, nfsv4acls)\ndata@data:\/tmp $<\/code><\/pre>\n\n\n\n<p>Partisi <code>\/tmp<\/code> dipasang dengan flag <strong><code>nosuid<\/code><\/strong> dan <strong><code>noexec<\/code><\/strong>. Artinya, meskipun file kita memiliki bit SUID, sistem secara tegas menolak eksekusi biner tersebut dengan hak akses tinggi di direktori tersebut.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3><strong>Solusi &amp; Modifikasi<\/strong><\/h3>\n\n\n\n<p>Untuk mengatasi hal ini, saya melakukan Pivoting Direktori.<\/p>\n\n\n\n<ul><li><strong>Pivoting Direktori:<\/strong> Saya memindahkan seluruh strategi eksekusi ke direktori <code>\/home\/data<\/code>. Setelah pengecekan, partisi ini memiliki kebijakan yang lebih longgar (tanpa flag <code>nosuid<\/code>), sehingga memungkinkan biner SUID untuk bekerja sebagaimana mestinya<\/li><\/ul>\n\n\n\n<h3><strong>Hasil Akhir<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Tebas Kernel FreeBSD. Reworking Exploit Calif yang &#039;Broken&#039; jd Weaponized - CVE-2026-7270 (no music)\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/eS2AcwxUPuI?start=24&#038;feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Dengan memindahkan lokasi eksekusi ke <code>\/home\/data<\/code> dan memperbaiki alur instruksi pada <em>source code<\/em>, exploit berhasil dieksekusi dengan sempurna.<\/p>\n\n\n\n<p><strong>Credit:<\/strong> Original exploit concept by Calif (https:\/\/github.com\/califio\/publications\/tree\/main\/MADBugs\/freebsd-CVE-2026-7270). Modified and fixed by Kurniawan &#8211; https:\/\/xcode.co.id<\/p>\n\n\n\n<p>Download hasil modif : <a href=\"https:\/\/hackerbootcamp.asia\/exploitfreebsd.zip\">https:\/\/hackerbootcamp.asia\/exploitfreebsd.zip<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>(Analisis Kegagalan Eksekusi dan Teknik Bypass Mounting Proteksi) Pendahuluan Baru-baru ini saya melakukan pengujian keamanan pada target berbasis FreeBSD. Referensi utama saya adalah exploit milik Calif yang sudah cukup dikenal untuk Local Privilege Escalation (LPE). Namun, kenyataan di lapangan tidak <a href=\"https:\/\/xcode.or.id\/blog\/index.php\/2026\/05\/10\/tebas-kernel-freebsd-reworking-exploit-calif-yang-broken-menjadi-weaponized\/\" class=\"read-more\">Read More &#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/posts\/5163"}],"collection":[{"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=5163"}],"version-history":[{"count":14,"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/posts\/5163\/revisions"}],"predecessor-version":[{"id":5182,"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/posts\/5163\/revisions\/5182"}],"wp:attachment":[{"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=5163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=5163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xcode.or.id\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=5163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}