Packer_ELF
Packer_ELF copied to clipboard
Published
20 hours ago •
sebastiencs
sebastiencs
heap-buffer-overflow in get_section_name function at src/cypher_code.c:14:19
Hello, I would like to bring to your attention that I encountered a potential issue while using it. This observation was made during testing on Ubuntu 20.04. Thank you for your understanding.
// source code
static char* get_section_name(t_elf *elf, int id)
{
uint16_t shname;
shname = elf->elf_header->e_shstrndx;
return ((char*)(elf->section_data[shname] + elf->section_header[id].sh_name));
}
Missing boundary check for shname here, there is a risk of heap overflow.
poc:poc.zip
Asan report
==2113==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000120 at pc 0x0000004f668a bp 0x7ffe033f84f0 sp 0x7ffe033f84e8
READ of size 8 at 0x611000000120 thread T0
#0 0x4f6689 in get_section_name /home/ld1ng/Packer_ELF/src/cypher_code.c:14:19
#1 0x4f6689 in get_section_text /home/ld1ng/Packer_ELF/src/cypher_code.c:22
#2 0x4f6689 in cypher_code /home/ld1ng/Packer_ELF/src/cypher_code.c:47
#3 0x4f593c in main /home/ld1ng/Packer_ELF/src/packer.c:52:7
#4 0x7fb542935082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#5 0x41e3ad in _start (/home/ld1ng/Packer_ELF/packer+0x41e3ad)
0x611000000120 is located 24 bytes to the right of 200-byte region [0x611000000040,0x611000000108)
allocated by thread T0 here:
#0 0x4c61f3 in malloc (/home/ld1ng/Packer_ELF/packer+0x4c61f3)
#1 0x4f95f9 in map_sections_data /home/ld1ng/Packer_ELF/src/map_elf.c:81:29
#2 0x4f95f9 in map_elf /home/ld1ng/Packer_ELF/src/map_elf.c:136
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ld1ng/Packer_ELF/src/cypher_code.c:14:19 in get_section_name
Shadow bytes around the buggy address:
0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8020: 00 fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2113==ABORTING
gdb backtrace
pwndbg> bt
#0 __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:112
#1 0x0000000000401a08 in get_section_text (elf=<optimized out>) at src/cypher_code.c:22
#2 cypher_code (elf=0x4472a0) at src/cypher_code.c:47
#3 0x0000000000401655 in main (argc=<optimized out>, argc@entry=2, argv=<optimized out>, argv@entry=0x7fffffffdfd8) at src/packer.c:52
#4 0x00007ffff7de8083 in __libc_start_main (main=0x401510 <main>, argc=2, argv=0x7fffffffdfd8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdfc8) at ../csu/libc-start.c:308
#5 0x000000000040125e in _start ()
