Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
619 views
in Technique[技术] by (71.8m points)

x86 64 - Linux's security measures against executing shellcode

I'm learning the basics of computer security and I'm trying to execute some shellcode I've written. I followed the steps given here

http://dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf

http://webcache.googleusercontent.com/search?q=cache:O3uJcNhsksAJ:dl.packetstormsecurity.net/papers/shellcode/own-shellcode.pdf+own+shellcode&cd=1&hl=nl&ct=clnk&gl=nl

$ cat pause.s
xor %eax,%eax
mov $29,%al     
int $0x80       
$ as -o pause.o pause.s
$ ld -o pause pause.o
ld: warning: cannot find entry symbol _start; defaulting to <<some address here>>
$ ./pause 
^C
$ objdump -d ./pause
pause:     file format elf64-x86_64
Disassembly of section .text:
      08048054 <.text>:
      8048054: 31 c0     xor    %eax,%eax
      8048056: b0 1d     mov    $0x1d,%al
      8048058: cd 80     int    $0x8
$

Since I got my pause program to work, I just copied the objdump output to a c file.

test.c:

int main()
{
    char s[] = "x31xc0xb0x1dxcdx80";
    (*(void(*)())s)();
}

But this produces a segfault. Now, this can only be due to security measures of Arch Linux (?). So how can I get this to work?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The page s lives in isn't mapped with execute permissions. Since you're on x86_64 you definitely have NX support in hardware. By default these days code and data live in very separate pages, with data not having the execute permission.

You can work around this with either mmap() or mprotect() to allocate or alter pages to have the PROT_EXEC permission.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...