views:

409

answers:

3

Hello

My friend is teacher of first-year CS students. We want to show them buffer overflow exploitation. But modern distribs are protected from simples buffer overflows:

HOME=`perl -e "print 'A'x269"`  one_widely_used_utility_is_here --help

on debian (blame it)

Caught signal 11,

on modern commercial redhat

*** buffer overflow detected ***: /usr/bin/one_widely_used_utility_is_here terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc321c1]
/lib/libc.so.6(__strcpy_chk+0x43)[0xc315e3]
/usr/bin/one_widely_used_utility_is_here[0x805xxxc]
/usr/bin/one_widely_used_utility_is_here[0x804xxxc]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb61e9c]
/usr/bin/one_widely_used_utility_is_here[0x804xxx1]
======= Memory map: ========
00336000-00341000 r-xp 00000000 08:02
2751047    /lib/libgcc_s-4.1.2-20080825.so.1
00341000-00342000 rwxp 0000a000 08:02
2751047    /lib/libgcc_s-4.1.2-20080825.so.1
008f3000-008f4000 r-xp 008f3000 00:00 0          [vdso]

The same detector fails for more synthetic examples from the internet.

How can we demonstrate buffer overflow with modern non-GPL distribs (there is no debian in classes)

How can we

  • DISABLE canary word checking in stack ?
  • DISABLE checking variants of strcpy/strcat ?
  • write an example (in plain C) with working buffer overrun ?
+2  A: 

In my security and privacy class, they used virtual machines that had vulnerable programs compiled with an older version of GCC that did not have canaries. You can also use newer versions of GCC and use command-line switches to disable security features like stack-smashing detection.

Either way, you'll need to recompile the programs if you're on a modern Linux distribution.

Ben S
which options will disable canary in stack, non-exec stack and which `-D` define will disable checking versions of strings functions
osgx
-fno-stack-protector to disable the canary
Ben S
-fnomudflap for string methods
Ben S
The no-executing stack is an OS option that can be backed by the CPU. To disable it you need to set the option in the Linux kernel. See this for some insight (http://en.wikipedia.org/wiki/Executable_space_protection#Linux)
Ben S
no-exec stack HAS an option in ELF file header. so gcc can disable it. UPD: http://linux.die.net/man/8/execstack
osgx
A: 
#include <stdio.h>

int main()
{ int x = 0; char buffer[8]; strcpy(buffer, "test hello world;-)"); return 0; }

After strcpy(), you have in x some ascii from this string, but if this string is too long, overvride ESP adres and program fail for protect from this and better ilustration buffer overrun, you must before declaration of x, declarate some big buffer to protect you overflow from esp address. (before x because variables is declarating on memory in stack arrange).

Edit: You can ilustrate it from StackOverflow Logo!!

Svisstack
"program fail" == segmentation fault
Svisstack
maybe i forget #include <string.h> for strcpy
Svisstack
When including `#include <string.h>` modern glibc WILL CHANGE call to `strcpy_chk(buffer, "test...", sizeof(buffer))`. so we NEED NOT TO INCLUDE IT!
osgx
oh no, fu**ing gclib, i dont know this
Svisstack
+1  A: 

To disable checking strings functions form glibc you should change your exploitable example. Change all calls to strcpy and other functions with cheking variants from

strcpy(dst, src);

to

(strcpy)(dst, src);

This will magically disable checking macroses.

To turn off gcc protection, use options

-fno-stack-protector
-fnomudflap
-U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0

To turn off non-exec stack, use

execstack -s ./programme 

or as gcc-linker option

-Wl,-z execstack  
osgx