Share
## https://sploitus.com/exploit?id=B6BD58A6-3493-54B7-8101-F6C8B63659B0
# FreeBSD setcred(2) โ€” research artifacts

This subdirectory collects the write-up and working exploits for the
`setcred(2)` stack buffer overflow in FreeBSD 14.x kernel.

The vulnerability itself is fully documented in `setcred.txt`. The short
version: `kern_setcred_copyin_supp_groups()` uses `sizeof(*groups)` where
`groups` is `gid_t **`, producing an 8-byte stride instead of 4 for a
`copyin()` into a fixed-size kernel-stack array. The overflow is reachable
before any privilege check, by any unprivileged user.

This repository captures two working exploit paths:

  * **no-SMAP / no-SMEP** โ€” `exp2_lpe_no_smap.c`.  A single
    `setcred(2)` syscall flips the calling thread to uid=0 by
    redirecting the chain primitive at `amd64_syscall+0x155` to
    user-space shellcode through a fake `struct sysentvec`.

  * **SMAP / SMEP enabled** โ€” `exp_setcred_smap_zfs.c`.  Hijacks to
    `ZSTD_initCStream_advanced` in `zfs.ko` whose body writes
    `td_ucred = rcx+1`.  With `rcx = K1 = parent_pargs - 1` (a
    qword planted in a child's pargs slab), the calling thread's
    credential pointer lands inside the parent's pargs slab where
    we have planted a fake `struct ucred` with `cr_uid=0`.  Works
    on any FreeBSD 14.4 GENERIC system with `zfs.ko` loaded
    (typical server configuration) and requires no kernel
    info-leak primitive.

## Layout

```
setcred/
+- setcred.txt          Primary write-up: vulnerability, both LPE
|                       techniques, PoC pointers, FIX STATUS, timeline.
|                       Pure ASCII.
+- exploits/            Curated exploit drop.
    +- poc_dos.c                    Minimal DoS PoC -- any user
    |                               panics kernel.
    +- exp2_lpe_no_smap.c           Full LPE on no-SMAP/SMEP kernel.
    +- exp_setcred_smap_zfs.c       SMAP/SMEP-safe LPE via zfs.ko
    |                               ZSTD gadget.  No info-leak.
    +- wrapper.c                    Tiny setuid-root โ†’ /bin/sh
    |                               launcher installed at /tmp/rsh
    |                               by exp_setcred_smap_zfs.
    +- Makefile.setcred_smap_zfs    Guest-side build pipeline for
    |                               the SMAP/SMEP path
    |                               (all, install, clean).
    +- README_setcred_smap_zfs.md   End-user write-up for the
                                    SMAP/SMEP path.
```

## Status

  * DoS (any user panics the kernel) and full LPE without SMAP/SMEP
    are reproducible by the corresponding programs in `exploits/`.

  * Full LPE with SMAP/SMEP enabled is reproducible via
    `exp_setcred_smap_zfs.c` on any FreeBSD 14.4 GENERIC system with
    `zfs.ko` loaded.  See `setcred.txt` for the technique.

  * 14.4-RELEASE / stable/14 remain vulnerable as of report date.
    The fix landed in main on 2025-11-27 (commit 000d5b5) as a side
    effect of an unrelated refactoring and was not backported.