PaX 和缓冲区溢出
内核中有 PaX 的 Linux 中是否有可能溢出缓冲区。我想通过使用正确的输入更改返回地址来利用可执行文件。我使用的是 Ubuntu 10.04,我使用 paxtest 对此进行了测试,但我不知道结果意味着什么。这是我的系统上 paxtest 的结果:
Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : 12 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (ET_DYN) : 14 bits (guessed) Main executable randomisation (ET_EXEC) : 12 bits (guessed) Main executable randomisation (ET_DYN) : 12 bits (guessed) Shared library randomisation test : 12 bits (guessed) Stack randomisation test (SEGMEXEC) : 19 bits (guessed) Stack randomisation test (PAGEEXEC) : 19 bits (guessed) Return to function (strcpy) : Vulnerable Return to function (strcpy, RANDEXEC) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Vulnerable Executable shared library data : Killed Writable text segments : Vulnerable
Is it possilbe to overflow buffer in linux that have PaX in kernel. I want to exploit into a executable by changing the return address using proper input.I'm using Ubuntu 10.04 and I test this with paxtest but I don't what the result means. This is the result of paxtest on my system:
Executable anonymous mapping : Killed Executable bss : Killed Executable data : Killed Executable heap : Killed Executable stack : Killed Executable anonymous mapping (mprotect) : Vulnerable Executable bss (mprotect) : Vulnerable Executable data (mprotect) : Vulnerable Executable heap (mprotect) : Vulnerable Executable shared library bss (mprotect) : Vulnerable Executable shared library data (mprotect): Vulnerable Executable stack (mprotect) : Vulnerable Anonymous mapping randomisation test : 12 bits (guessed) Heap randomisation test (ET_EXEC) : 13 bits (guessed) Heap randomisation test (ET_DYN) : 14 bits (guessed) Main executable randomisation (ET_EXEC) : 12 bits (guessed) Main executable randomisation (ET_DYN) : 12 bits (guessed) Shared library randomisation test : 12 bits (guessed) Stack randomisation test (SEGMEXEC) : 19 bits (guessed) Stack randomisation test (PAGEEXEC) : 19 bits (guessed) Return to function (strcpy) : Vulnerable Return to function (strcpy, RANDEXEC) : Vulnerable Return to function (memcpy) : Vulnerable Return to function (memcpy, RANDEXEC) : Vulnerable Executable shared library bss : Vulnerable Executable shared library data : Killed Writable text segments : Vulnerable
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,你可以。请参阅以下内容:
唉,我的学校项目就是使用 grsecurity 来防止此类漏洞。 PaX 并没有阻止我覆盖退货地址。
Yes, you can. See the lines:
Alas, MY school project was to prevent just such an exploit using grsecurity. PaX did not prevent my overwriting the return address.