tags:

views:

760

answers:

5
Q: 

Practicing buffer overflow attack in Ubuntu

I am trying to learn to use buffer overflow attack in Ubuntu. Unfortunately, I cannot turn off Address Space Layout Randomization (ASLR) feature in this OS, which is turned on by default. I have tried some work around found in some fedora books:

echo "0" > /proc/sys/kernel/randomize_va_space

but for some reason the protection's still there. Please give me some suggestions. Thanks.

[edit]Actually the above command was not successful, it said "Permission Denied", even with sudo. How can I fix that?

[adding] I kept on getting segmetation fault error when it shows an address in stack. Is it related to non-executable stack in ubuntu :(?

+3  A: 

You will need root perms before attempting it, and if I'm not mistaken, to restart once you've done it.

 sudo -i
 echo "0" > /proc/sys/kernel/randomize_va_space
scragar  2009-07-02 07:58:36
I have tried it as you said, but after restarting ubuntu I viewed that file and the previous value in that file was unchanged :|. Thanks.
 2009-07-02 08:56:05
Of course it changed back after reboot; /proc is a volatile directory. Try recompiling the kernel with randomize_va_space turned off :)
Spidey  2009-07-02 18:07:11
Thanks so much. I've used your command whenever I need :D
 2009-07-03 01:52:01
Thank you for answering this, it is going to come in handy in the next couple of days.
Javed Ahamed  2009-07-27 21:54:29
@wakandan - I believe "restart" refers to your program, not ubuntu. When you restart ubuntu, the protection is set to it's initial value (enabled).
James Caccese  2009-07-30 00:49:19
+1  A: 

gcc compile with -fno-stack-protector

nononn  2009-11-07 11:54:41
A: 

to echo to files with root acces using sudo you can use the following code:

echo "0" | sudo tee /proc/sys/kernel/randomize_va_space
knittl  2009-11-07 11:59:19
A: 

i have a similar problem. i did turn randomize_va_space to zero. also i compiled with -fno-stack-protector, but if i try to do the bof it says:

(gdb) run $(perl -e 'print "A"x320') Starting program: /home/server/bof $(perl -e 'print "A"x320') Programm started...

Program received signal SIGSEGV, Segmentation fault. 0x08048438 in vuln ()

but on a lower count of A's there will be:

(gdb) run $(perl -e 'print "A"x315') Starting program: /home/server/bof $(perl -e 'print "A"x315') Programm started...

Program received signal SIGSEGV, Segmentation fault. 0x00414141 in ?? ()

so only if i filled the whole eip with A's it will use a protection.

how can i disable this protection function?

IP-Sh0k  2010-06-05 09:40:38
A: 

found it myself

you have to compile this way:

gcc -fno-stack-protector -z execstack -o OUTPUT INPUT.c

IP-Sh0k  2010-06-06 14:41:15

related questions

CLR Profiler - Attaching to existing process
What's the maximum amount of RAM I can use in a Windows box?
.Net 2.0 - How efficient are Generic Lists?
Process Memory Size - Different Counters
C++ Memory management
Using MySQLi - which is better for closing queries
How Does A Stack Overflow Occur and How Do You Prevent It?
C Memory Management
How does .net managed memory handle value types inside objects?
FLVPlayback component memory issues
memset() causing data abort
Is Visual C++ memory managed by the Dot Net framework
Preventing Memory Leaks with Attached Behaviours
How to dispose a class in .net?
best way to persist data in .NET Web Service
Reading Other Process' Memory in Mac OS / BSD
Replicating load related crashes in non-production environments
Secure Memory Allocator in C++
Best way to wrap rsync progress in a gui?
Some kind of task manager for JavaScript in Firefox 3?
Of Memory Management, Heap Corruption, and C++
Understanding reference counting with Cocoa / Objective C
Setting Objects to Null/Nothing after use in .NET
Heap corruption under Win32; how to locate?
Anatomy of a "Memory Leak"