All geek questions in one place

Illustration of a buffer overflow for students (linux, C)

My friend is the teacher of the first CS students. We want to show them a buffer overflow. But modern distributions are protected against buffer overflows:

HOME=`perl -e "print 'A'x269"`  one_widely_used_utility_is_here --help

on debian (blame him)

Caught signal 11,

on modern commercial redhat

*** buffer overflow detected ***: /usr/bin/one_widely_used_utility_is_here terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc321c1]
/lib/libc.so.6(__strcpy_chk+0x43)[0xc315e3]
/usr/bin/one_widely_used_utility_is_here[0x805xxxc]
/usr/bin/one_widely_used_utility_is_here[0x804xxxc]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb61e9c]
/usr/bin/one_widely_used_utility_is_here[0x804xxx1]
======= Memory map: ========
00336000-00341000 r-xp 00000000 08:02
2751047    /lib/libgcc_s-4.1.2-20080825.so.1
00341000-00342000 rwxp 0000a000 08:02
2751047    /lib/libgcc_s-4.1.2-20080825.so.1
008f3000-008f4000 r-xp 008f3000 00:00 0          [vdso]

The same detector fails for more synthetic examples from the Internet.

How can we demonstrate buffer overflow with modern distributions without GPL (no debian in classes)

How we can

  • Turn off canary word verification on the stack?
  • Disable strcpy / strcat option checking?
  • write an example (in plain C) with a working buffer overflow?
+3
source share
3 answers

, glibc, . strcpy

strcpy(dst, src);


(strcpy)(dst, src);

.

gcc,

-fno-stack-protector
-fnomudflap
-U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0

non-exec,

execstack -s ./programme

gcc-linker

-Wl,-z execstack
+4

, GCC, . GCC , .

, Linux.

+2
#include <stdio.h>

int main()
{ int x = 0; char buffer[8]; strcpy(buffer, "test hello world;-)"); return 0; }

After strcpy (), you have x some ascii from this line, but if this line is too long, redefine the ESP address and program to protect against this and better illustration buffer overflows, you must before the declaration x, declarate some big buffer so that protect you from overflow with esp address. (up to x, because variables are declared in memory at the stack location).

Edit: You can display it from the StackOverflow Logo!

0
source

Source: https://habr.com/ru/post/1741352/

More articles:


All Articles