Re: Buffer Overflow Help
From: Steve Bonds (kzzvt3302_at_sneakemail.com)
Date: 11/11/04
- Previous message: Paul Webster: "Re: TEB buffer+Return Into LIBC based string copy exploitation"
- Maybe in reply to: eip_at_tampabay.rr.com: "Buffer Overflow Help"
- Next in thread: Marco Ivaldi: "Re: Buffer Overflow Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Nov 2004 11:39:21 -0800 (PST) To: vuln-dev@securityfocus.com
On Wed Nov 10 2004 runixd wrote:
> Depending on your version, options may very, but you should be able to
> disable stack randomization by setting
> /proc/sys/kernel/exec-shield-randomize to 0
> "echo 0 > /proc/sys/kernel/exec-shield-randomize"
> and you can disable exec shield in /proc/sys/kernel/exec-shield, setting
> it to 0, should cause it to be disabled, otherwise this is where you
> have to work with non executable stack and return to libc.
I'm having the same trouble while working on modifications to an existing
exploit to get it working reliably on Red Hat 9. On a stock, unpatched
Red Hat 9 installation I don't see any /proc/sys/kernel/exec-shield*
entries.
With the attached C code, on Red Hat 9 I get:
-----
$ gcc -Wall -g --static -o stackp stackp.c
$ for i in 1 2 3 4 5; do ./stackp; done
&sp is 0xbffff234
&sp is 0xbffff134
&sp is 0xbffff034
&sp is 0xbfffef34
&sp is 0xbfffee34
-----
There's a definite pattern in the stack location, but for the purposes of
the exploit I'm working on there's brute forcing isn't feasible. (The
application crashes on a bad guess, and must be restarted manually.)
I've also tried the same thing on a Red Hat Enterprise 3 system, which
does have the above /proc entries:
-----
# echo 0 > /proc/sys/kernel/exec-shield
# echo 0 > /proc/sys/kernel/exec-shield-randomize
# gcc -Wall -g --static -o stackp stackp.c
# for i in 1 2 3 4 5; do ./stackp; done
for i in 0 1 2 3 4 5; do ./stackp; done
&sp is 0xbfffc294
&sp is 0xbfff9174
&sp is 0xbfffc414
&sp is 0xbfffbb14
&sp is 0xbfffb8f4
&sp is 0xbfff9634
-----
Strangely, I still see the "randomization" even after disabling the
feature.
Any suggestions on how to really disable it, or should us newbies stick to
Red Hat 8? ;-)
-- Steve
- TEXT/PLAIN attachment: Print Stack Pointer Address
- Previous message: Paul Webster: "Re: TEB buffer+Return Into LIBC based string copy exploitation"
- Maybe in reply to: eip_at_tampabay.rr.com: "Buffer Overflow Help"
- Next in thread: Marco Ivaldi: "Re: Buffer Overflow Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
