Re: Unexecutable Stack / Buffer Overflow Exploits...

Ludovic Aubry (Ludovic.Aubry@math.jussieu.fr)
Tue, 04 Jan 2000 15:43:41 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dag Brattli: "Re: multiple oopses with IRDA"
Previous message: Tigran Aivazian: "Re: [Patch]: write_kmem above high_memory"

"Theodore Y. Ts'o" wrote :

> then do damage. For example supose your real-life application has a
> single call to strcpy() anywhere in the text segement. Then all you
> have to do is to overrun the stack in the following way:
>
> B---> ptr to static buffer in data segment
> padding (to cover local variables)
> ptr to static buffer in data segment
> ptr to attack code (see below)
> A---> ptr to "call strcpy" instruction in text segment
> padding (to cover local variables)
> copy of attack code
>
> After the stack is overrun, the last thing the function does is adjust
> the stack pointer to the end of its stack frame "A" and then it
> returns. However, the stack at "A" contains not a pointer into
> executable code on the stack (since we're assuming the stack might be
> non-executable) but rather, to a "call strcpy" instruction in the text
> segment. This causing a call to the libc function, which will then copy
> the attack code into the data buffer, and then return to the middle of
> whatever function the strcpy() call was contained in. When that
> function returns (you ideally pick a function where the call to strcpy
> is one of the last things that function does), that stack frame gets
> destroyed, and now the return address at statck stack location "B"
> transfers control to the data segment where the attack code has been
> copied, and viola! It's off to the races.
>
> (I just recently came up with the generalized memcpy/strcpy exploit, and
> I'm pretty proud of it. It should work on most real-world binaries with
> a stack-smashing vulnerability, even on a machine with the non-exec
> stack hack patch installed.)

IIRC, (at least) the PowerPC architecture can have both non executable
pages (or segments?)
and read-only executables pages.
So if all executable pages are non-executable how would such exploit be possible?
May be such a thing would break too many user space programs ?

Ludovic Aubry.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dag Brattli: "Re: multiple oopses with IRDA"
Previous message: Tigran Aivazian: "Re: [Patch]: write_kmem above high_memory"