Home > Cloud Computing > Cloud Applications

Execshield and vsspacerandom

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Execshield and vsspacerandom-Linux general technology-Linux programming and kernel information. The following is a detailed description. Bypass Exec-shield Under Redhat:

0x120-analysis in the execshield environment]
First, let's look at the execshield switch.
[Axis @ axis explab] $ cat/proc/sys/kernel/exec-shield
1
[Axis @ axis explab] $ cat/proc/sys/kernel/randomize_va_space
1
[Axis @ axis explab] $

VA space randomize is a feature of 2.6.x kernel. It randomly changes virtual addresses and greatly increases the overflow difficulty. However, this feature is not covered in this article. However, because it is enabled by default in the kernel of the higher version, we will not close it to increase the difficulty of our challenge.

It seems that exec-shield and vs space random are not the same thing.

I haven't figured it out yet. Let's take a look at debian, as4, and as5

Root @ debian ~ # Uname-
Linux debian 2.6.8-3-686-smp #1 SMP Tue Dec 5 23:17:50 UTC 2006 i686 GNU/Linux
Root @ debian ~ # Ldd/bin/ls
Librt. so.1 =>/lib/tls/librt. so.1 (0x4001e000)
Libacl. so.1 =>/lib/libacl. so.1 (0x40024000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x4002c000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x40161000)
/Lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000)
Libattr. so.1 =>/lib/libattr. so.1 (0x40170000)
Root @ debian ~ # Ldd/bin/ls
Librt. so.1 =>/lib/tls/librt. so.1 (0x4001e000)
Libacl. so.1 =>/lib/libacl. so.1 (0x40024000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x4002c000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x40161000)
/Lib/ld-linux.so.2 =>/lib/ld-linux.so.2 (0x40000000)
Libattr. so.1 =>/lib/libattr. so.1 (0x40170000)
Root @ debian ~ #! Sys
Sysctl-a | grep rand
Kernel. random. uuid = 6f304dac-e088-4901-8089-ced6629c0a44
Kernel. random. boot_id = 6a54ae47-ff17-4169-9ce8-6cdd3c400773
Kernel. random. write_wakeup_threshold = 128
Kernel. random. read_wakeup_threshold = 64
Kernel. random. entropy_avail = 3584
Kernel. random. poolsize = 512

Debian does not have such random.

Let's take a look at as4.

[Root @ sky2317 ~] # Uname-
Linux sky2317 2.6.9-55. ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686 i686 i386 GNU/Linux

[Root @ sky2317 ~] # Sysctl-a | grep-e space-e exec
Kernel.exe c-shield-randomize = 1
Kernel.exe c-shield = 1

[Root @ sky2317 ~] # Ldd/bin/ls
Librt. so.1 =>/lib/tls/librt. so.1 (0x00aeb000)
Libacl. so.1 =>/lib/libacl. so.1 (0x00ce8000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x00a9d000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x00828000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x00993000)
/Lib/ld-linux.so.2 (0x0080e000)
Libattr. so.1 =>/lib/libattr. so.1 (0x00c12000)
[Root @ sky2317 ~] # Ldd/bin/ls
Librt. so.1 =>/lib/tls/librt. so.1 (0x00aeb000)
Libacl. so.1 =>/lib/libacl. so.1 (0x008cf000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x00a9d000)
Libc. so.6 =>/lib/tls/libc. so.6 (0x00111000)
Libpthread. so.0 =>/lib/tls/libpthread. so.0 (0x00993000)
/Lib/ld-linux.so.2 (0x0080e000)
Libattr. so.1 =>/lib/libattr. so.1 (0x00843000)

We can see that in as4, 2.6.9 kernel, some addresses are changed, some are not, but none of them are linux-gate.

Let's look at as5's

[Root @ sky2325 ~] # Uname-
Linux sky2325 2.6.18-53. el5PAE #1 SMP Wed Oct 10 16:48:18 EDT 2007 i686 i686 i386 GNU/Linux

[Root @ sky2325 ~] # Sysctl-a | grep-e space-e exec
Kernel. randomize_va_space = 1
Kernel.exe c-shield = 1

Note: Let's take a look.

[Root @ sky2325 ~] # Ldd/bin/ls
Linux-gate.so.1 => (0x00208000)
Librt. so.1 =>/lib/librt. so.1 (0x00331000)
Libacl. so.1 =>/lib/libacl. so.1 (0x00285000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x002bb000)
Libc. so.6 =>/lib/libc. so.6 (0x0033a000)
Libpthread. so.0 =>/lib/libpthread. so.0 (0x002a2000)
/Lib/ld-linux.so.2 (0x00114000)
Libattr. so.1 =>/lib/libattr. so.1 (0x0027e000)
Libdl. so.2 =>/lib/libdl. so.2 (0x00273000)
Libsepol. so.1 =>/lib/libsepol. so.1 (0x002d4000)
[Root @ sky2325 ~] # Ldd/bin/ls
Linux-gate.so.1 => (0x008df000)
Librt. so.1 =>/lib/librt. so.1 (0x00331000)
Libacl. so.1 =>/lib/libacl. so.1 (0x00285000)
Libselinux. so.1 =>/lib/libselinux. so.1 (0x002bb000)
Libc. so.6 =>/lib/libc. so.6 (0x00131000)
Libpthread. so.0 =>/lib/libpthread. so.0 (0x002a2000)
/Lib/ld-linux.so.2 (0x00114000)
Libattr. so.1 =>/lib/libattr. so.1 (0x0027e000)
Libdl. so.2 =>/lib/libdl. so.2 (0x00273000)

Linux gate and others are changed.

There are some inconsistencies between san and iris systems.

San said that linux-gate is an entry and will not change. Iris uses suse.

Exec-sheild is enabled in the rh kernel. It is enabled by default.

In your own kernel, exec-sheild does not exist, but vs space is enabled by default. I have verified this in the CBD machine.

Exec-sheild should be unexecutable, and then add the Linux kernel's own random base address, red hat is actually quite safe, exp is more difficult to use.

However, a South Korean wrote a code that bypasses exec sheild and is looking for someone to study it.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
and html et and http and logical and post and and records and repair
Related Article
Ingenious, Webapi httpbasicauthorize the practice of building...
Agent simplifies integration between cloud applications and e...
Enable cross-Cloud applications-DNS-based load balancing

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More