Buffer overflow
De whats Wiki
Coses a mirar avans de intentar fer l'exploit
Contingut |
random stack policy?
Aquesta politica de seguretat el que fa es que per a cada execucio del porgrama la posicio de memoria que se li assigna es diferent. Tot i aixo el que si que es mante es que comenza a la posicio 0 del segment (0xXXXXXXX0)
Per comprovar-ho, nomes cal mirar si les mateixes variables cada vegada es creen a la mateixa posicio o no
int main(){
int buf;
printf("&buf=%x\n",&buf);
return 0;
}
non-executable stack?
Per comprovar-ho nomes cal mirar, si podem executar codi de la pila
exec-shield
Un seguit de protexions del kernel
"The exec-shield feature provides protection against stack, buffer or function pointer overflows, and against other types of exploits that rely on overwriting data structures and/or putting code into those structures. The patch also makes it harder to pass in and execute the so-called 'shell-code' of exploits.
- Features
● No-execute (NX), execute disable bit (EDB) support ● when used with PAE kernel and supporting processor ● protects kernel and user space ● No-execute emulation using segmentation ● for older, legacy processors ● protects user space only ● (watch out for executable stacks being required) ● Randomisation to increase diversity ● Randomisation of libraries, heap, stack
lexec
#!/bin/bash
# Copyright (C) 2003, 2004 Red Hat, Inc.
# Written by Ingo Molnar and Ulrich Drepper
if [ "$#" != "1" ]; then
echo "usage: lsexec [ <PID> | process name | --all ]"
exit 1
fi
if ! test -f /etc/redhat-release; then
echo "this script is written for RHEL or Fedora Core"
exit 1
fi
cd /proc
printit() {
if [ -r $1/maps ]; then
echo -n $(basename $(readlink $1/exe))
printf ", PID %6d: " $1
if [ -r $1/exe ]; then
if eu-readelf -h $1/exe|egrep -q 'Type:space:*EXEC'; then
echo -n -e '\033[31mno PIE\033[m, '
else
if eu-readelf -d $1/exe|egrep -q ' DEBUGspace:*$'; then
echo -n -e '\033[32mPIE\033[m, '
if eu-readelf -d $1/exe|fgrep -q TEXTREL; then
echo -n -e '\033[31mTEXTREL\033[m, '
fi
else
echo -n -e '\033[33mDSO\033[m, '
fi
fi
if eu-readelf -l $1/exe|fgrep -q 'GNU_RELRO'; then
if eu-readelf -d $1/exe|fgrep -q 'BIND_NOW'; then
if eu-readelf -l $1/exe|fgrep -q ' .got] .data .bss'; then
echo -n -e '\033[32mfull RELRO\033[m, '
else
echo -n -e '\033[31mincorrect RELRO\033[m, '
fi
else
echo -n -e '\033[33mpartial RELRO\033[m, '
fi
else
echo -n -e '\033[31mno RELRO\033[m, '
fi
fi
lastpg=$(sed -n '/^xdigit:*-xdigit:* rw.. \(xdigit:*\) 00:00 0$/p' $1/maps|
tail -n 1)
if echo "$lastpg" | egrep -v -q ' rwx. '; then
lastpg=""
fi
if [ -z "$lastpg" ] || [ -z "$(echo $lastpg||cut -d ' ' -f3|tr -d 0)" ]; then
echo -e '\033[32mExec-Shield enabled\033[m'
else
echo -e '\033[31mExec-Shield disabled\033[m'
for N in `awk '{print $6}' $1/maps | egrep '\.so|bin/' | grep '^/' | sort -u`; do
NE=$(eu-readelf -l $N | fgrep STACK | fgrep 'RW ')
if [ "$NE" = "" ]; then
echo " => $N disables Exec-Shield!"
fi
done
fi
fi
}
if [ -d $1 ]; then
printit $1
exit 0
fi
if [ "$1" = "--all" ]; then
for N in [1-9]*; do
if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then
printit $N
fi
done
exit 0
fi
for N in `/sbin/pidof $1`; do
if [ -d $N ]; then
printit $N
fi
done
