Vulnerability Development mailing list archives
Re: Buffer Overflow Help
From: "Steve Bonds" <kzzvt3302 () sneakemail com>
Date: Thu, 11 Nov 2004 11:39:21 -0800 (PST)
On Wed Nov 10 2004 runixd wrote:
Depending on your version, options may very, but you should be able to disable stack randomization by setting /proc/sys/kernel/exec-shield-randomize to 0 "echo 0 > /proc/sys/kernel/exec-shield-randomize"
and you can disable exec shield in /proc/sys/kernel/exec-shield, setting it to 0, should cause it to be disabled, otherwise this is where you have to work with non executable stack and return to libc.
I'm having the same trouble while working on modifications to an existing exploit to get it working reliably on Red Hat 9. On a stock, unpatched Red Hat 9 installation I don't see any /proc/sys/kernel/exec-shield* entries. With the attached C code, on Red Hat 9 I get: ----- $ gcc -Wall -g --static -o stackp stackp.c $ for i in 1 2 3 4 5; do ./stackp; done &sp is 0xbffff234 &sp is 0xbffff134 &sp is 0xbffff034 &sp is 0xbfffef34 &sp is 0xbfffee34 ----- There's a definite pattern in the stack location, but for the purposes of the exploit I'm working on there's brute forcing isn't feasible. (The application crashes on a bad guess, and must be restarted manually.) I've also tried the same thing on a Red Hat Enterprise 3 system, which does have the above /proc entries: ----- # echo 0 > /proc/sys/kernel/exec-shield # echo 0 > /proc/sys/kernel/exec-shield-randomize # gcc -Wall -g --static -o stackp stackp.c # for i in 1 2 3 4 5; do ./stackp; done for i in 0 1 2 3 4 5; do ./stackp; done &sp is 0xbfffc294 &sp is 0xbfff9174 &sp is 0xbfffc414 &sp is 0xbfffbb14 &sp is 0xbfffb8f4 &sp is 0xbfff9634 ----- Strangely, I still see the "randomization" even after disabling the feature. Any suggestions on how to really disable it, or should us newbies stick to Red Hat 8? ;-) -- Steve
Attachment:
stackp.c
Description: Print Stack Pointer Address
Current thread:
- Buffer Overflow Help eip (Nov 09)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)
- Re: Buffer Overflow Help runixd (Nov 10)
- <Possible follow-ups>
- RE: Buffer Overflow Help Carlos Carvalho (Nov 10)
- Re: Buffer Overflow Help Steve Bonds (Nov 12)
- Re: Buffer Overflow Help Marco Ivaldi (Nov 12)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Steve Bonds (Nov 14)
- RE: Buffer Overflow Help Chris Eagle (Nov 15)
- Re: Buffer Overflow Help Steve Bonds (Nov 15)
- Re: Buffer Overflow Help sin (Nov 12)
- Re: Buffer Overflow Help Harry de Grote (Nov 10)