Buffer overflow

From Whats notepad

Coses a mirar avans de intentar fer l'exploit

Contents 1 random stack policy? 2 non-executable stack? 3 exec-shield 3.1 lexec 4 Position Independent Executables (PIE)

[edit] random stack policy?

Aquesta politica de seguretat el que fa es que per a cada execucio del porgrama la posicio de memoria que se li assigna es diferent. Tot i aixo el que si que es mante es que comenza a la posicio 0 del segment (0xXXXXXXX0)

Per comprovar-ho, nomes cal mirar si les mateixes variables cada vegada es creen a la mateixa posicio o no 
int main(){
  int buf;
  printf("&buf=%x\n",&buf);
 return 0;
}

[edit] non-executable stack?

Per comprovar-ho nomes cal mirar, si podem executar codi de la pila

[edit] exec-shield

Un seguit de protexions del kernel

"The exec-shield feature provides protection against stack, buffer or
function pointer overflows, and  against other types of exploits that
rely  on  overwriting data structures and/or putting  code into those
structures. The patch also makes it harder to pass in and execute the
so-called 'shell-code' of exploits.

• Features

● No-execute (NX), execute disable bit (EDB) support
● when used with PAE kernel and supporting processor
● protects kernel and user space
● No-execute emulation using segmentation
● for older, legacy processors
● protects user space only
● (watch out for executable stacks being required)
● Randomisation to increase diversity
● Randomisation of libraries, heap, stack

[edit] lexec

#!/bin/bash
# Copyright (C) 2003, 2004 Red Hat, Inc.
# Written by Ingo Molnar and Ulrich Drepper
if [ "$#" != "1" ]; then
  echo "usage: lsexec [ <PID> | process name | --all ]"
  exit 1
fi
if ! test -f /etc/redhat-release; then
  echo "this script is written for RHEL or Fedora Core"
  exit 1
fi 

cd /proc 

printit() {
    if [ -r $1/maps ]; then
     echo -n $(basename $(readlink $1/exe))
     printf ", PID %6d: " $1
     if [ -r $1/exe ]; then
       if eu-readelf -h $1/exe|egrep -q 'Type:space:*EXEC'; then
         echo -n -e '\033[31mno PIE\033[m, '
       else
         if eu-readelf -d $1/exe|egrep -q '  DEBUGspace:*$'; then
           echo -n -e '\033[32mPIE\033[m, '
	   if eu-readelf -d $1/exe|fgrep -q TEXTREL; then
	     echo -n -e '\033[31mTEXTREL\033[m, '
	   fi
	  else
	   echo -n -e '\033[33mDSO\033[m, '
          fi
       fi
       if eu-readelf -l $1/exe|fgrep -q 'GNU_RELRO'; then
	 if eu-readelf -d $1/exe|fgrep -q 'BIND_NOW'; then
	   if eu-readelf -l $1/exe|fgrep -q ' .got] .data .bss'; then
             echo -n -e '\033[32mfull RELRO\033[m, '
	   else
             echo -n -e '\033[31mincorrect RELRO\033[m, '
	   fi
         else
            echo -n -e '\033[33mpartial RELRO\033[m, '
        fi
       else
         echo -n -e '\033[31mno RELRO\033[m, '
       fi
     fi
     lastpg=$(sed -n '/^xdigit:*-xdigit:* rw.. \(xdigit:*\) 00:00 0$/p' $1/maps|
	      tail -n 1)
     if echo "$lastpg" | egrep -v -q ' rwx. '; then
       lastpg=""
     fi
     if [ -z "$lastpg" ] || [ -z "$(echo $lastpg||cut -d ' ' -f3|tr -d 0)" ]; then
       echo -e '\033[32mExec-Shield enabled\033[m'
     else
      echo -e '\033[31mExec-Shield disabled\033[m'
      for N in `awk '{print $6}' $1/maps  | egrep '\.so|bin/' | grep '^/' | sort -u`; do
        NE=$(eu-readelf -l $N | fgrep STACK | fgrep 'RW ')
        if [ "$NE" = "" ]; then
          echo " => $N disables Exec-Shield!"
        fi
      done
     fi
    fi
}

if [ -d $1 ]; then
  printit $1
  exit 0
fi

if [ "$1" = "--all" ]; then
   for N in [1-9]*; do
     if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then
       printit $N
     fi
   done
   exit 0
fi

for N in `/sbin/pidof $1`; do
 if [ -d $N ]; then
  printit $N
  fi
done

[edit] Position Independent Executables (PIE)