for testing some security stuff aka buffer overflows, you must disable security such as address randomization and stack execuation deactivation.
simple as root do:
echo "0" > /proc/sys/kernel/randomize_va_space
echo "0" > /proc/sys/kernel/exec-shield
echo "0" > /proc/sys/kernel/exec-shield-randomize
next you must compile the application without stack execution dissable and stack protection for example. example for a gcc compilation flags (that help me to learn hacking):
gcc -m32 -w -fno-pie -z norelro -fno-stack-protector -ggdb -z execstack -o myprog myprog.c
see my last article (the same stuff, but older)
http://raycompstuff.blogspot.com/2010/09/hacks-tutorial-zero.html
have fun
Posts mit dem Label hacking werden angezeigt. Alle Posts anzeigen
Posts mit dem Label hacking werden angezeigt. Alle Posts anzeigen
Donnerstag, 24. März 2011
Donnerstag, 23. September 2010
HACKS: Tutorial Zero
The problem nowadays to learn buffer overflow is:
- linux kernel has protection (va_randomize, exec_shield,...)
- distribution has protection (armor, selinux, ...)
- gcc has protection (stack canary, ...
That is good, because it protect us. But bad for learning.
To learn "buffer overflows" you must deactivate the protection
some tips:
to deactivate gcc protection:
-fno-stack-protector
-fnomudflap
-D_FORTIFY_SOURCE=0
gcc overflow.c -o overflow -fno-stack-protector
gcc -fno-stack-protector -z execstack -o bug bug.c
to deactivate kernel protection:
echo "0" > /proc/sys/kernel/randomize_va_space
echo "0" > /proc/sys/kernel/exec-shield
echo "0" > /proc/sys/kernel/exec-shield-randomize
info about execstack
If you look at the programm with objdump (objdump -x cmd):
STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**3
filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-
The stack is not executable!
you can do it executable with
gcc -fno-stack-protector -z execstack -o bug bug.c
If you want to learn heap or bss overflow you must do them executable too.
DYNAMIC off 0x0000000000000e40 vaddr 0x0000000000600e40 paddr 0x0000000000600e40 align 2**3
filesz 0x00000000000001a0 memsz 0x00000000000001a0 flags rw-
- linux kernel has protection (va_randomize, exec_shield,...)
- distribution has protection (armor, selinux, ...)
- gcc has protection (stack canary, ...
That is good, because it protect us. But bad for learning.
To learn "buffer overflows" you must deactivate the protection
some tips:
to deactivate gcc protection:
-fno-stack-protector
-fnomudflap
-D_FORTIFY_SOURCE=0
gcc overflow.c -o overflow -fno-stack-protector
gcc -fno-stack-protector -z execstack -o bug bug.c
to deactivate kernel protection:
echo "0" > /proc/sys/kernel/randomize_va_space
echo "0" > /proc/sys/kernel/exec-shield
echo "0" > /proc/sys/kernel/exec-shield-randomize
info about execstack
If you look at the programm with objdump (objdump -x cmd):
STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**3
filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-
The stack is not executable!
you can do it executable with
gcc -fno-stack-protector -z execstack -o bug bug.c
If you want to learn heap or bss overflow you must do them executable too.
DYNAMIC off 0x0000000000000e40 vaddr 0x0000000000600e40 paddr 0x0000000000600e40 align 2**3
filesz 0x00000000000001a0 memsz 0x00000000000001a0 flags rw-
Abonnieren
Posts (Atom)