开发者

PaX and buffer overflow

开发者 https://www.devze.com 2023-03-13 05:27 出处:网络
Is it possilbe to overflow buffer in linux that have PaX in kernel. I want to exploit into a executable by changing the return address using proper input.I\'m using Ubuntu 10.04 and I test this with p

Is it possilbe to overflow buffer in linux that have PaX in kernel. I want to exploit into a executable by changing the return address using proper input.I'm using Ubuntu 10.04 and I test this with paxtest but I don't what the result means. This is the result of paxtest on my system:

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 12 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 14 bits (guessed)
Main exec开发者_运维问答utable randomisation (ET_EXEC)  : 12 bits (guessed)
Main executable randomisation (ET_DYN)   : 12 bits (guessed)
Shared library randomisation test        : 12 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Killed
Writable text segments                   : Vulnerable


Yes, you can. See the lines:

    Return to function (strcpy)              : Vulnerable
    Return to function (strcpy, RANDEXEC)    : Vulnerable

Alas, MY school project was to prevent just such an exploit using grsecurity. PaX did not prevent my overwriting the return address.

0

精彩评论

暂无评论...
验证码 换一张
取 消