Good example of heap exploits on Linux

Question

I'm doing a demonstration of memory corruption attacks, and would like to show some working examples of exploits that feature heap corruption (such as use-after-free). My requirements are:

A working exploit (remote or local)
on Linux (this is crucial, because I want to take people through it using Linux tools)
for a real application (i.e. not a dummy application made to be vulnerable, but something real)
that can be easily downloaded (open source, still available -- older versions are fine)

Preferably, I'd like:

an application that they've heard of (something fairly common, not something obscure)
with a metasploit exploit available
and, if possible, a server application or daemon (not a browser)

Surprisingly, I'm having trouble finding a good example. Can you recommend a good example to use to teach and demonstrate heap corruption attacks? The main requirement is that an exploit should be available that works on a real Linux application.

UPDATE: Before posting, I searched exploitdb and metasploit, and was unable to find something that met even the requirements (let alone the desired points). However, the search interfaces there are somewhat coarse, so there may be one lurking that I can't find.

exploit-db has a searchable database: https://www.exploit-db.com/search/?action=search&description=heap — schroeder, Dec 20 '16 at 07:55
So does Metasploit: https://www.rapid7.com/db/search?utf8=%E2%9C%93&q=heap&t=a — schroeder, Dec 20 '16 at 07:55
So, GHOST doesn't meet your needs? https://www.rapid7.com/db/modules/exploit/linux/smtp/exim_gethostbyname_bof — schroeder, Dec 20 '16 at 08:17
Or any of the Adobe modules: https://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf ? — schroeder, Dec 20 '16 at 08:18

movsx · Accepted Answer · 2017-01-12T20:14:22.373

Here are a couple exploits for remote heap overflows for some older Linux daemons.

Unauthenticated remote root vulnerability in Samba 3.x - This describes the module for the setinfopolicy_heap exploit, which is included by default in metasploit.
Remote heap overflow in OpenSSL < 0.9.6d - A fairly advanced exploit for its time (2002). Includes detailed information on the vulnerability and exploit development process, along with a tarball containing C source for the exploit. Not metasploit, but just as easy to use.

Both of these will work for your demonstration, and could be easily setup by compiling older versions from source, or installing older RedHat/Debian ISO's in a VM.

Welcome to Information Security SE @movsx. These are link-dependent answers. Could you include the relevant descriptions in the article body? — Jedi, Jan 12 '17 at 20:00

Raniz · Answer 2 · 2016-12-20T08:49:25.047

It doesn't really qualify as memory corruption but it's definititely in the memory-exploit domain if that is enough for you.

I've always thought Heartbleed is a great example of a memory exploit - there's even an xkcd that does a fine job at explaining it.

It should be fairly easy to set up by compiling any SSL-capable server of your choosing against a vulnerable version of OpenSSL and then firing at it with a client that can exploit it (there's a few links available on the metasploit).

Good example of heap exploits on Linux

2 Answers2