![]() ![]() vulnerable $ (perl -e 'print' A "x36 # EBP ') Mohamed mohamed-desktop: ~ / Desktop $ gcc vulnerable.c -o mohamed-desktop: ~ / Desktop $. Mohamed mohamed-desktop: ~ / Desktop $ cat> vulnerable.c #include We already know that we have 32 bytes of buffer + EBP + EIP, but if the protection is enabled we would not allow or pass the frame pointer: Well, let's see how it reacts to a simple overflow like this:Īs we see, there is a 32-byte buffer and not a single check when doing the string copy to the buffer. This protection detects a buffer overflow attack (always on the stack) by creating a value called "Canary" between the created buffers and the frame pointer (EBP) & "return address" (EIP), then when a buffer attempts overwriting these values ?must in one way or another overwrite the value "Canary" and this serves as a trigger for protection that gives an alert and takes action against it, for example, stopping the process. This compiler comes with a protection system called "StackGuard" developed by Immunix and now called ProPolice 2. Well, this is a security protection implemented in the ultra renoted compiler and found in every GNU / Linux distribution, I speak of GCC (GNU Compiler Collection). Root mohamed -desktop: ~ # echo 0> / proc / sys / kernel / randomize vaspaceĪfter disabling the patch we can see that the address of ESP is constant in the executable, without even recompiling it!īut do not be frightened, as history has taught us! Behind every security system is someone trying to break it. Now let's disable this function and let's see what happens: espīy enabling this "patch" we can see that the addresses are changing and making it almost impossible to know the virtual address of ESP (in this case. Mohamed mohamed -desktop: ~ / Desktop $ gcc esp.c -o esp Mohamed mohamed -desktop: ~ / Desktop $ cat> esp.c #include ![]() Mohamed mohamed -desktop: ~ / Desktop $ cat / proc / sys / kernel / randomize vaspace The system file that controls this option is located in / proc / sys / kernel / randomize vaspace (only manipulated by a superuser or root ) and we could say that it is controlled by a TRUE (1) or FALSE (0). Now with this code we are going to test the protection in itself of the kernel in question. ![]() This code would give me the exact address of ESP at the time of execution. The method to enable and disable it is simple, I will demonstrate the change of addresses in memory with the following code: This applies only to ELF (Executable and Linkable Format) binaries. By changing this, exploits created for absolute addresses (bone, constants) would be obsolete since they change the addresses with each execution of the program and its libraries in a range of 8MB. The first protection is the creation of random virtual address space in the process, which change with each invocation of the process. ![]() There are more protections such as the patch grsecurity or exec-shield (of which I may speak later), even there is protection from hardware called StackGuard. When it is time to scan a program for vulnerabilities or just exploit them under GNU / Linux, there are two simple protections that you should keep in mind when it comes to systems with Kernels version 2.6 and higher, and over all if compiled with GCC. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |