[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-executable stack (via PT_GNU_STACK) not being enforced

Sure, here is an easy program you can use, but first:

<PATERNAL WARNING>: the shellcode below launches /bin/sh.  It is from Aleph One's Smashing the Stack for Fun and Profit.  It is generally a bad idea to blindly run someone else's shellcode on your machine since you don't know what it will do (unless you've analyzed it).  You can and should verify that the following shellcode is the same as listed in Aleph One's article (found easily via Google) before running this example.</WARNING>

static char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main() {
        void (*function_pointer)(void) = (void *) shellcode;
        function_pointer();
        return(0);
}

---
Call it tmp.c.  Now you can test for page permission enforcement:

user@host:~$ gcc -z execstack tmp.c
user@host:~$ ./a.out
sh-3.2$ exit  ## <-- this means the stack is executable

user@host:~$ gcc -z noexecstack tmp.c
user@host:~$ ./a.out 
Segmentation fault  ## <-- this means the stack is non executable
user@host:~$

If ./a.out does not segfault once you have compiled it with "-z noexecstack", then page permissions are not being enforced.

-----Original Message-----
From: Goswin von Brederlow <goswin-v-b@web.de>
To: Brchk05 <brchk05@aim.com>
Cc: debian-security@lists.debian.org
Sent: Wed, Oct 13, 2010 4:46 am
Subject: Re: non-executable stack (via PT_GNU_STACK) not being enforced

Brchk05 <brchk05@aim.com> writes:

> I am running Debian 2.6.26-21lenny4 and I am puzzled by an issue with the
> enforcement of page permissions.  I have written a simple program with a basic
> buffer overflow and compiled two versions using gcc: one with -z execstack and
> another with -z noexecstack.  
>
> So, to verify that the option takes:
>
> For the -z execstack version:
> $ readelf -l a.out | grep -i -A1 stack
>   GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
>
> For the -z noexecstack version:
> $ readelf -l a.out | grep -i -A1 stack
>   GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
>
> However, I am able to inject and execute shellcode from a stack local 
character
> buffer in both versions.  Is there another system option I am unaware of that
> affects enforcement?  Is enforcement not supported for my system version?
>
> Thanks for your help.

Could you provide source? I'm interested in checking this for my system
too.

MfG
        Goswin
Reply to: