proxy70

Userspace : Non executable stack protection

by : ev1lut10n

The non executable stack is a linux patch that makes the stack non 
executable on every
userspace application with stack operation.

check this out :
buggy.c
================
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) 
{
char buffer[5];
if(argc > 1)
 {
 sprintf(buffer, argv[1]);
 printf(buffer);
 }
printf("\n");
return 0;
}
==================

test it and check:

=========================
$ gcc -o buggy buggy.c
$ readelf -l buggy | grep STACK
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
=========================

as we may see the stack is only RW (non executable)

let's  compare to a non executable stack protection elf:
==========
$ gcc -z execstack -o buggy buggy.c
$ readelf -l buggy | grep STACK
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
===========

as u now see if we compile using  -z execstack  it will have an executable 
stack.

so how this non executable stack become barrier on ur userspace 
exploitation ?

recompile using an executable stack protection:
========
$ gcc -o buggy buggy.c
$ readelf -l buggy | grep STACK
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
==========

check using gdb
================
(gdb) run AAAAAAAAAAAAAAAAAAAA
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/mywisdom/c/exploit/buggy AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()

(gdb) run AAAAAAAAAAAAAAAAAAAAA
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/mywisdom/c/exploit/buggy AAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x08048469 in main () ---------------> eip 

======================
exactly most windows exploiter will use encoding technic, but the problem 
in linux is 
different this is because of the non executable stack protection

how to bypass it ? use return to libc

here's the basic of ret 2 libc
gopher://sdf.org/0/users/wisdomc0/article_exploitation/Eksploitasi_dengan_ret2libc