Impacted by this exploit? Fix it here


JOB OFFER: Exploit Analyst (m/f)

Edit Report

Linux Mono JIT 4.6.2 Compiler mismanagement multithread handling | Buffer Overflow################
#Exploit Title: Linux Mono JIT Compiler mismanagement multithread handling
#Exploit Author: Hosein Askari (FarazPajohan)
#Vendor HomePage: http://www.mono-project.com/
#Version :  4.6.2
#Tested on: Ubuntu 17.04
#Date: 18-03-2017
#Category: Application
#Vulnerable Part: Multithread handeling
#Author Mail :hosein.askari@aol.com
#Description: Unexpected Multithread handling on Mono JIT Compiler version 4.6.2  is occured due to thread mismanagement that causes buffer overflow.
#valgrind --leak-check=yes pinta Crash.jpg
*** Error in  free(): invalid pointer: 0x089d63e0 ***
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
0xb7fd9cf9 in __kernel_vsyscall ()
  Id   Target Id         Frame
* 1    Thread 0xb7d79980 (LWP 16317) "Main" 0xb7fd9cf9 in __kernel_vsyscall ()
  2    Thread 0xb73ffb40 (LWP 16318) "SGen worker" 0xb7fd9cf9 in __kernel_vsyscall ()
  3    Thread 0xb59f5b40 (LWP 16319) "Finalizer" 0xb7fd9cf9 in __kernel_vsyscall ()
  4    Thread 0xb3c52b40 (LWP 16320) "gmain" 0xb7fd9cf9 in __kernel_vsyscall ()
  5    Thread 0xb3451b40 (LWP 16321) "gdbus" 0xb7fd9cf9 in __kernel_vsyscall ()
  6    Thread 0xb2946b40 (LWP 16322) "dconf worker" 0xb7fd9cf9 in __kernel_vsyscall ()
  7    Thread 0xaf5d3b40 (LWP 16324) "pool" 0xb7fd9cf9 in __kernel_vsyscall ()

Thread 7 (Thread 0xaf5d3b40 (LWP 16324)):
#0  0xb7fd9cf9 in __kernel_vsyscall ()
#1  0xb7e5ffe7 in syscall () at ../sysdeps/unix/sysv/linux/i386/syscall.S:29
#2  0xb476bf9b in g_cond_wait_until () from /lib/i386-linux-gnu/libglib-2.0.so.0
#3  0xb46f775a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#4  0xb46f7f20 in g_async_queue_timeout_pop () from /lib/i386-linux-gnu/libglib-2.0.so.0
#5  0xb474d398 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#6  0xb474c83a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#7  0xb7f3b2d5 in start_thread (arg=0xaf5d3b40) at pthread_create.c:333
#8  0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113

Thread 6 (Thread 0xb2946b40 (LWP 16322)):
#0  0xb7fd9cf9 in __kernel_vsyscall ()
#1  0xb7e5a4ff in poll () at ../sysdeps/unix/syscall-template.S:84
#2  0xb4734200 in g_poll () from /lib/i386-linux-gnu/libglib-2.0.so.0
#3  0xb472479c in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#4  0xb47248d4 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#5  0xb2c495cb in ?? () from /usr/lib/i386-linux-gnu/gio/modules/libdconfsettings.so
#6  0xb474c83a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#7  0xb7f3b2d5 in start_thread (arg=0xb2946b40) at pthread_create.c:333
#8  0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113

Thread 5 (Thread 0xb3451b40 (LWP 16321)):
#0  0xb7fd9cf9 in __kernel_vsyscall ()
#1  0xb7e5a4ff in poll () at ../sysdeps/unix/syscall-template.S:84
#2  0xb4734200 in g_poll () from /lib/i386-linux-gnu/libglib-2.0.so.0
#3  0xb472479c in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#4  0xb4724bb9 in g_main_loop_run () from /lib/i386-linux-gnu/libglib-2.0.so.0
#5  0xb4998725 in ?? () from /usr/lib/i386-linux-gnu/libgio-2.0.so.0
#6  0xb474c83a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#7  0xb7f3b2d5 in start_thread (arg=0xb3451b40) at pthread_create.c:333
#8  0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113

Thread 4 (Thread 0xb3c52b40 (LWP 16320)):
#0  0xb7fd9cf9 in __kernel_vsyscall ()
#1  0xb7e5a4ff in poll () at ../sysdeps/unix/syscall-template.S:84
#2  0xb4734200 in g_poll () from /lib/i386-linux-gnu/libglib-2.0.so.0
#3  0xb472479c in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#4  0xb47248d4 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#5  0xb4724930 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#6  0xb474c83a in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#7  0xb7f3b2d5 in start_thread (arg=0xb3c52b40) at pthread_create.c:333
#8  0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113

Thread 3 (Thread 0xb59f5b40 (LWP 16319)):
#0  0xb7fd9cf9 in __kernel_vsyscall ()
#1  0xb7f4500f in waitpid () at ../sysdeps/unix/syscall-template.S:84
#2  0x080fa543 in ?? ()
#3  <signal handler called>
#4  0xb7fd9cf9 in __kernel_vsyscall ()
#5  0xb7da7050 in __libc_signal_restore_set (set=0xb59f4b60) at ../sysdeps/unix/sysv/linux/nptl-signals.h:79
#6  __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#7  0xb7da8577 in __GI_abort () at abort.c:89
#8  0xb7de2f4f in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:175
#9  0xb7de9b47 in malloc_printerr (action=<optimized out>, str=0xb7edb64a "free(): invalid pointer", ptr=<optimized out>, ar_ptr=0xb7f31780 <main_arena>) at malloc.c:5046
#10 0xb7dea406 in _int_free (av=0xb7f31780 <main_arena>, p=0x89d63d8, have_lock=0) at malloc.c:3902
#11 0xb4729a60 in g_free () from /lib/i386-linux-gnu/libglib-2.0.so.0
#12 0xaec18344 in ?? ()
#13 0xb1f3283d in ?? ()
#14 0xb1f32714 in ?? ()
#15 0xaec182e9 in ?? ()
#16 0xaec17b14 in ?? ()
#17 0x081fa843 in ?? ()
#18 0x0822a32e in ?? ()
#19 0x08244df5 in ?? ()
#20 0x081fad65 in ?? ()
#21 0x081dab7a in ?? ()
#22 0x08291917 in ?? ()
#23 0xb7f3b2d5 in start_thread (arg=0xb59f5b40) at pthread_create.c:333
#24 0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113

Thread 2 (Thread 0xb73ffb40 (LWP 16318)):
#0  0xb7fd9cf9 in __kernel_vsyscall ()
#1  0xb7f40c0c in pthread_cond_wait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/i386/pthread_cond_wait.S:187
#2  0x0825fb62 in ?? ()
#3  0xb7f3b2d5 in start_thread (arg=0xb73ffb40) at pthread_create.c:333
#4  0xb7e6459e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:113

Thread 1 (Thread 0xb7d79980 (LWP 16317)):
#0  0xb7fd9cf9 in __kernel_vsyscall ()
#1  0xb7f40fd6 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../sysdeps/unix/sysv/linux/i386/i686/../pthread_cond_timedwait.S:245
#2  0x08265d75 in ?? ()
#3  0x0827d039 in ?? ()
#4  0x081faa9f in ?? ()
#5  0x081fb4e5 in mono_domain_finalize ()
#6  0x08069b19 in ?? ()
#7  0x080cd7f8 in mono_main ()
#8  0x0806791f in ?? ()
#9  0xb7d93276 in __libc_start_main (main=0x8067830, argc=3, argv=0xbffff184, init=0x82a3080 <__libc_csu_init>, fini=0x82a30e0 <__libc_csu_fini>, rtld_fini=0xb7fea8b0 <_dl_fini>, stack_end=0xbffff17c) at ../csu/libc-start.c:291
#10 0x08067cb4 in _start ()

Aborted (core dumped)
######################################

Comments?

Copyright ©2017 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.