Download Execstack

0 views
Skip to first unread message

Dibe Naro

unread,
May 10, 2024, 6:36:26 PM5/10/24
to cludusoccream

Why exactly is this? Is it because getenv is storing the actual opcodes on the stack, and the execstack flag allows jumps to the stack? Or does getenv push a pointer onto the stack, and there are some other rules about what sections of memory are executable? I read the manpage, but I couldn't work out exactly what the rules are and how they're enforced.

download execstack


Download >>> https://t.co/LQQlT3V7sI



Fun fact: taking the address of a nested function that accesses its parents local variables gets gcc to enable -zexecstack. It stores code for an executable "trampoline" onto the stack that passes a "static chain" pointer to the actual nested function, allowing it to reference its parent's stack-frame.

If you wanted to exec data as code without -zexecstack, you'd use mprotect(PROT_EXECPROT_READPROT_WRITE) on the page containing that env var. (It's part of your stack so you shouldn't remove write permission; it could be in the same page as main's stack frame for example.)

Current ld gives .rodata its own segment that's mapped read without exec, so finding ROP / Spectre "gadgets" in read-only data is no longer possible, unless you use -zexecstack. And even that doesn't work on current kernels; char code[] = ...; as a local inside a function will put data on the stack where it's actually executable. See How to get c code to execute hex machine code? for details.

Below is from the rmadison script showing all versions of execstack available in the Ubuntu repositories. Note: rmadison will only show from the Ubuntu repositories and no third party repositories if you decide to use them.

It is quite obvious that there is a buffer overflow vulnerability in the function func() since it tries to copy 4096 bytes into a small 20 bytes size buffer in the stack. Because the program is built with -no-pie flag and execstack flag, the student can place shellcode into the global buf and overflow the return address in func() to return to the crafted shellcode, hence achieving code execution.

The search service can find package by either name (apache),provides(webserver), absolute file names (/usr/bin/apache),binaries (gprof) or shared libraries (libXm.so.2) instandard path. It does not support multiple arguments yet... The System and Arch are optional added filters, for exampleSystem could be "redhat", "redhat-7.2", "mandrake" or "gnome", Arch could be "i386" or "src", etc. depending on your system. System Arch RPM resource execstackThis package is built from prelink sources but contains just theexecstack binary. It can be used manipulate ELF binaries to runwith or without executable stack.

When we compile c program with gcc, we have to inlude "-z execstack" option to enable stack overflow attack. The question I want to ask is how does gcc implement this .Without this option, how does gcc guard the stack?Please explain me in detail if possible.

In a classical stack overflow attack the attacker manages to place its own code (processor instructions) on the stack by overflowing some stack based data structures with attacker controlled content. Now, the attacker needs to have this content on the stack to be taken as instructions by the processor and get it executed. But, the processor will only execute code from memory pages marked as executable. Only, modern OS and compilers will mark the pages of the stack as non-executable in order to prevent such stack overflows. The -z execstack option disables this protection.

The OS deny's to execute code stored in the stack(it only allows the CPU to execute instructions stored in .text section) but you are injecting your malicious code in the stack, so you can disable this option by specifying -z execstack.

Extensive testing on execstack portability has been done by Bruno Haible of the dyncall team. Their results show that NetBSD and OpenBSD will terminate your program if execstack is set. So will SELinux if used with execstack protection.

Please also see the WSL github discussion regarding execstack. This really can use attention and will have positive impact beyond WSL when resolved.Like Loading...RelatedPosted byyorickdowneJanuary 4, 2017May 10, 2019Posted inTechPost navigationPrevious Post Previous post:
JunOS SPACE upgrade hangs at 0%Next Post Next post:
Installing VMWare Tools (Open VM Tools) on JunOS SPACE 16.1 or newerLeave a comment Cancel reply

I have written a C program that runs in malloc-ed memory. It works on all the same kernels and architecutres I mentioned above. I doubt you will find a specific tool like execstack to mark an executable file as "heap executable". About the best I could tell you is that you'll have to use the mprotect() system call. Even using mprotect() I think that you'll find some of the more unusual architectures out there (the old DEC Alpha, or HP's "Precision Architecture") just won't ever allow executing out of the heap.

The GCC options -no-pie, -z execstack, and -fno-stack-protector are all disabling defensive mechanisms. We'll talk more about these mechanisms in future classes, but disabling them allows simpler versions of attacks to work. If you look at the source code for this program you'll see that the other simple thing about it is the vulnerability. The function read_and_print has a fixed-size buffer buf, and it copies the entire contents of the file specified on the command line into that buffer with the read system call, with no checking of the size at all.

08ab062aa8
Reply all
Reply to author
Forward
0 new messages