Userspace : Non executable stack protection

by : ev1lut10n

The non executable stack is a linux patch that makes the stack non
executable on every
userspace application with stack operation.

check this out :
buggy.c
================
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[5];
if(argc > 1)
{
sprintf(buffer, argv[1]);
printf(buffer);
}
printf("\n");
return 0;
}
==================

test it and check:

=========================
$ gcc -o buggy buggy.c
$ readelf -l buggy | grep STACK
 GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
=========================

as we may see the stack is only RW (non executable)

let's  compare to a non executable stack protection elf:
==========
$ gcc -z execstack -o buggy buggy.c
$ readelf -l buggy | grep STACK
 GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
===========

as u now see if we compile using  -z execstack  it will have an executable
stack.

so how this non executable stack become barrier on ur userspace
exploitation ?

recompile using an executable stack protection:
========
$ gcc -o buggy buggy.c
$ readelf -l buggy | grep STACK
 GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
==========

check using gdb
================
(gdb) run AAAAAAAAAAAAAAAAAAAA
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/mywisdom/c/exploit/buggy AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()

(gdb) run AAAAAAAAAAAAAAAAAAAAA
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/mywisdom/c/exploit/buggy AAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x08048469 in main () ---------------> eip

======================
exactly most windows exploiter will use encoding technic, but the problem
in linux is
different this is because of the non executable stack protection

how to bypass it ? use return to libc

here's the basic of ret 2 libc
gopher://sdf.org/0/users/wisdomc0/article_exploitation/Eksploitasi_dengan_ret2libc

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.