Home / exploits Linux Mono JIT 4.6.2 Compiler mismanagement multithread handling Buffer Overflow
Posted on 30 November -0001
<HTML><HEAD><TITLE>Linux Mono JIT 4.6.2 Compiler mismanagement multithread handling | Buffer Overflow</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>################ #Exploit Title: Linux Mono JIT Compiler mismanagement multithread handling #Exploit Author: Hosein Askari (FarazPajohan) #Vendor HomePage: http://www.mono-project.com/ #Version : 4.6.2 #Tested on: Ubuntu 17.04 #Date: 18-03-2017 #Category: Application #Vulnerable Part: Multithread handeling #Author Mail :hosein.askari@aol.com #Description: Unexpected Multithread handling on Mono JIT Compiler version 4.6.2 is occured due to thread mismanagement that causes buffer overflow. #valgrind --leak-check=yes pinta Crash.jpg *** Error in free(): invalid pointer: 0x089d63e0 *** [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". 0xb7fd9cf9 in __kernel_vsyscall () Id Target Id Frame * 1 Thread 0xb7d79980 (LWP 16317) "Main" 0xb7fd9cf9 in __kernel_vsyscall () 2 Thread 0xb73ffb40 (LWP 16318) "SGen worker" 0xb7fd9cf9 in __kernel_vsyscall () 3 Thread 0xb59f5b40 (LWP 16319) "Finalizer" 0xb7fd9cf9 in __kernel_vsyscall () 4 Thread 0xb3c52b40 (LWP 16320) "gmain" 0xb7fd9cf9 in __kernel_vsyscall () 5 Thread 0xb3451b40 (LWP 16321) "gdbus" 0xb7fd9cf9 in __kernel_vsyscall () 6 Thread 0xb2946b40 (LWP 16322) "dconf worker" 0xb7fd9cf9 in __kernel_vsyscall () 7 Thread 0xaf5d3b40 (LWP 16324) "pool" 0xb7fd9cf9 in __kernel_vsyscall () Thread 7 (Thread 0xaf5d3b40 (LWP 16324)): #0 0xb7fd9cf9 in __kernel_vsyscall () #1 0xb7e5ffe7 in syscall () at ../sysdeps/unix/sysv/linux/i386/syscall.S:29 #2 0xb476bf9b in g_cond_wait_until () from /lib/i386-linux-gnu/libglib-2.0.so.0 #3 0xb46f775a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #4 0xb46f7f20 in g_async_queue_timeout_pop () from /lib/i386-linux-gnu/libglib-2.0.so.0 #5 0xb474d398 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #6 0xb474c83a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #7 0xb7f3b2d5 in start_thread (arg=0xaf5d3b40) at pthread_create.c:333 #8 0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113 Thread 6 (Thread 0xb2946b40 (LWP 16322)): #0 0xb7fd9cf9 in __kernel_vsyscall () #1 0xb7e5a4ff in poll () at ../sysdeps/unix/syscall-template.S:84 #2 0xb4734200 in g_poll () from /lib/i386-linux-gnu/libglib-2.0.so.0 #3 0xb472479c in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #4 0xb47248d4 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0 #5 0xb2c495cb in ?? () from /usr/lib/i386-linux-gnu/gio/modules/libdconfsettings.so #6 0xb474c83a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #7 0xb7f3b2d5 in start_thread (arg=0xb2946b40) at pthread_create.c:333 #8 0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113 Thread 5 (Thread 0xb3451b40 (LWP 16321)): #0 0xb7fd9cf9 in __kernel_vsyscall () #1 0xb7e5a4ff in poll () at ../sysdeps/unix/syscall-template.S:84 #2 0xb4734200 in g_poll () from /lib/i386-linux-gnu/libglib-2.0.so.0 #3 0xb472479c in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #4 0xb4724bb9 in g_main_loop_run () from /lib/i386-linux-gnu/libglib-2.0.so.0 #5 0xb4998725 in ?? () from /usr/lib/i386-linux-gnu/libgio-2.0.so.0 #6 0xb474c83a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #7 0xb7f3b2d5 in start_thread (arg=0xb3451b40) at pthread_create.c:333 #8 0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113 Thread 4 (Thread 0xb3c52b40 (LWP 16320)): #0 0xb7fd9cf9 in __kernel_vsyscall () #1 0xb7e5a4ff in poll () at ../sysdeps/unix/syscall-template.S:84 #2 0xb4734200 in g_poll () from /lib/i386-linux-gnu/libglib-2.0.so.0 #3 0xb472479c in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #4 0xb47248d4 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0 #5 0xb4724930 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #6 0xb474c83a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #7 0xb7f3b2d5 in start_thread (arg=0xb3c52b40) at pthread_create.c:333 #8 0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113 Thread 3 (Thread 0xb59f5b40 (LWP 16319)): #0 0xb7fd9cf9 in __kernel_vsyscall () #1 0xb7f4500f in waitpid () at ../sysdeps/unix/syscall-template.S:84 #2 0x080fa543 in ?? () #3 <signal handler called> #4 0xb7fd9cf9 in __kernel_vsyscall () #5 0xb7da7050 in __libc_signal_restore_set (set=0xb59f4b60) at ../sysdeps/unix/sysv/linux/nptl-signals.h:79 #6 __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:55 #7 0xb7da8577 in __GI_abort () at abort.c:89 #8 0xb7de2f4f in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:175 #9 0xb7de9b47 in malloc_printerr (action=<optimized out>, str=0xb7edb64a "free(): invalid pointer", ptr=<optimized out>, ar_ptr=0xb7f31780 <main_arena>) at malloc.c:5046 #10 0xb7dea406 in _int_free (av=0xb7f31780 <main_arena>, p=0x89d63d8, have_lock=0) at malloc.c:3902 #11 0xb4729a60 in g_free () from /lib/i386-linux-gnu/libglib-2.0.so.0 #12 0xaec18344 in ?? () #13 0xb1f3283d in ?? () #14 0xb1f32714 in ?? () #15 0xaec182e9 in ?? () #16 0xaec17b14 in ?? () #17 0x081fa843 in ?? () #18 0x0822a32e in ?? () #19 0x08244df5 in ?? () #20 0x081fad65 in ?? () #21 0x081dab7a in ?? () #22 0x08291917 in ?? () #23 0xb7f3b2d5 in start_thread (arg=0xb59f5b40) at pthread_create.c:333 #24 0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113 Thread 2 (Thread 0xb73ffb40 (LWP 16318)): #0 0xb7fd9cf9 in __kernel_vsyscall () #1 0xb7f40c0c in pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S:187 #2 0x0825fb62 in ?? () #3 0xb7f3b2d5 in start_thread (arg=0xb73ffb40) at pthread_create.c:333 #4 0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113 Thread 1 (Thread 0xb7d79980 (LWP 16317)): #0 0xb7fd9cf9 in __kernel_vsyscall () #1 0xb7f40fd6 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/i386/i686/../pthread_cond_timedwait.S:245 #2 0x08265d75 in ?? () #3 0x0827d039 in ?? () #4 0x081faa9f in ?? () #5 0x081fb4e5 in mono_domain_finalize () #6 0x08069b19 in ?? () #7 0x080cd7f8 in mono_main () #8 0x0806791f in ?? () #9 0xb7d93276 in __libc_start_main (main=0x8067830, argc=3, argv=0xbffff184, init=0x82a3080 <__libc_csu_init>, fini=0x82a30e0 <__libc_csu_fini>, rtld_fini=0xb7fea8b0 <_dl_fini>, stack_end=0xbffff17c) at ../csu/libc-start.c:291 #10 0x08067cb4 in _start () Aborted (core dumped) ######################################</BODY></HTML>