Execshield and vsspacerandom

Source: Internet
Author: User
Execshield and vsspacerandom-Linux general technology-Linux programming and kernel information. The following is a detailed description. Bypass Exec-shield Under Redhat:

0x120-analysis in the execshield environment]
First, let's look at the execshield switch.
[Axis @ axis explab] $ cat/proc/sys/kernel/exec-shield
1
[Axis @ axis explab] $ cat/proc/sys/kernel/randomize_va_space
1
[Axis @ axis explab] $

VA space randomize is a feature of 2.6.x kernel. It randomly changes virtual addresses and greatly increases the overflow difficulty. However, this feature is not covered in this article. However, because it is enabled by default in the kernel of the higher version, we will not close it to increase the difficulty of our challenge.

It seems that exec-shield and vs space random are not the same thing.

I haven't figured it out yet. Let's take a look at debian, as4, and as5

Root @ debian ~ # Uname-
Linux debian 2.6.8-3-686-smp #1 SMP Tue Dec 5 23:17:50 UTC 2006 i686 GNU/Linux
Root @ debian ~ # Ldd/bin/ls
Librt. so.1 =>/lib/tls/librt. so.1 (0x4001e000)
Libacl. so.1 =>/lib/libacl. so.1 (0x40024000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x4002c000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x40161000)
/Lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000)
Libattr. so.1 =>/lib/libattr. so.1 (0x40170000)
Root @ debian ~ # Ldd/bin/ls
Librt. so.1 =>/lib/tls/librt. so.1 (0x4001e000)
Libacl. so.1 =>/lib/libacl. so.1 (0x40024000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x4002c000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x40161000)
/Lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000)
Libattr. so.1 =>/lib/libattr. so.1 (0x40170000)
Root @ debian ~ #! Sys
Sysctl-a | grep rand
Kernel. random. uuid = 6f304dac-e088-4901-8089-ced6629c0a44
Kernel. random. boot_id = 6a54ae47-ff17-4169-9ce8-6cdd3c400773
Kernel. random. write_wakeup_threshold = 128
Kernel. random. read_wakeup_threshold = 64
Kernel. random. entropy_avail = 3584
Kernel. random. poolsize = 512

Debian does not have such random.

Let's take a look at as4.

[Root @ sky2317 ~] # Uname-
Linux sky2317 2.6.9-55. ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686 i686 i386 GNU/Linux

[Root @ sky2317 ~] # Sysctl-a | grep-e space-e exec
Kernel.exe c-shield-randomize = 1
Kernel.exe c-shield = 1

[Root @ sky2317 ~] # Ldd/bin/ls
Librt. so.1 =>/lib/tls/librt. so.1 (0x00aeb000)
Libacl. so.1 =>/lib/libacl. so.1 (0x00ce8000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x00a9d000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x00828000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x00993000)
/Lib/ld-linux.so.2 (0x0080e000)
Libattr. so.1 =>/lib/libattr. so.1 (0x00c12000)
[Root @ sky2317 ~] # Ldd/bin/ls
Librt. so.1 =>/lib/tls/librt. so.1 (0x00aeb000)
Libacl. so.1 =>/lib/libacl. so.1 (0x008cf000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x00a9d000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x00111000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x00993000)
/Lib/ld-linux.so.2 (0x0080e000)
Libattr. so.1 =>/lib/libattr. so.1 (0x00843000)

We can see that in as4, 2.6.9 kernel, some addresses are changed, some are not, but none of them are linux-gate.

Let's look at as5's

[Root @ sky2325 ~] # Uname-
Linux sky2325 2.6.18-53. el5PAE #1 SMP Wed Oct 10 16:48:18 EDT 2007 i686 i686 i386 GNU/Linux

[Root @ sky2325 ~] # Sysctl-a | grep-e space-e exec
Kernel. randomize_va_space = 1
Kernel.exe c-shield = 1

Note: Let's take a look.

[Root @ sky2325 ~] # Ldd/bin/ls
Linux-gate.so.1 => (0x00208000)
Librt. so.1 =>/lib/librt. so.1 (0x00331000)
Libacl. so.1 =>/lib/libacl. so.1 (0x00285000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x002bb000)
Libc. so.6 =>/lib/libc. so.6 (0x0033a000)
Libpthread. so.0 =>/lib/libpthread. so.0 (0x002a2000)
/Lib/ld-linux.so.2 (0x00114000)
Libattr. so.1 =>/lib/libattr. so.1 (0x0027e000)
Libdl. so.2 =>/lib/libdl. so.2 (0x00273000)
Libsepol. so.1 =>/lib/libsepol. so.1 (0x002d4000)
[Root @ sky2325 ~] # Ldd/bin/ls
Linux-gate.so.1 => (0x008df000)
Librt. so.1 =>/lib/librt. so.1 (0x00331000)
Libacl. so.1 =>/lib/libacl. so.1 (0x00285000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x002bb000)
Libc. so.6 =>/lib/libc. so.6 (0x00131000)
Libpthread. so.0 =>/lib/libpthread. so.0 (0x002a2000)
/Lib/ld-linux.so.2 (0x00114000)
Libattr. so.1 =>/lib/libattr. so.1 (0x0027e000)
Libdl. so.2 =>/lib/libdl. so.2 (0x00273000)

Linux gate and others are changed.

There are some inconsistencies between san and iris systems.

San said that linux-gate is an entry and will not change. Iris uses suse.

Exec-sheild is enabled in the rh kernel. It is enabled by default.

In your own kernel, exec-sheild does not exist, but vs space is enabled by default. I have verified this in the CBD machine.

Exec-sheild should be unexecutable, and then add the Linux kernel's own random base address, red hat is actually quite safe, exp is more difficult to use.

However, a South Korean wrote a code that bypasses exec sheild and is looking for someone to study it.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.