DF-0035 / build.sh
#!/bin/sh # DF-0035 build script. # # Three artifacts: # msgbuf_oob - the original unprivileged PoC (polls kern.msgbuf # looking for non-text/over-long reads; harmless) # msgbuf_diag - sharper diagnostic; same idea, more reporting # dump_msgbuf - kvm(3)-based dumper of msg_bufx/msg_bufr and the # branch-3 decision (read-only; needs /dev/kmem) # msgbuf_oob_decisive - DECISIVE OOB proof: kvm_write places the bad # geometry then a sysctl read triggers the underflow # (panics the kernel). Build/run as ROOT only. # msgbuf_brute - brute-force natural-path trigger (root-only; opens # the stale-msg_bufr window via msgbuf_clear, then # tight 1-byte steps + reads) # # The unprivileged tools (msgbuf_oob, msgbuf_diag) build on DragonFlyBSD with # the base-system cc and no extra libraries. The kvm(3) tools need -lkvm. set -e cd "$(dirname "$0")" echo "[+] building msgbuf_oob (unprivileged poller)" cc -O2 -o msgbuf_oob msgbuf_oob.c echo "[+] building msgbuf_diag (unprivileged diagnostic)" cc -O2 -o msgbuf_diag msgbuf_diag.c echo "[+] building dump_msgbuf (kvm reader; needs root to read /dev/kmem)" cc -O2 -o dump_msgbuf dump_msgbuf.c -lkvm echo "[+] building msgbuf_brute (root-only natural-path brute-forcer)" cc -O2 -o msgbuf_brute msgbuf_brute.c echo "[+] building msgbuf_oob_decisive (root-only DECISIVE OOB trigger; panics kernel)" cc -O2 -o msgbuf_oob_decisive msgbuf_oob_decisive.c -lkvm echo "[+] build complete" ls -l msgbuf_oob msgbuf_diag dump_msgbuf msgbuf_brute msgbuf_oob_decisive |