Re: Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer)

From: Ingo Molnar
Date: Thu Feb 03 2005 - 04:48:27 EST

Next message: Sakellarios Gerakios: "Oops: 0000"
Previous message: Hirokazu Takahashi: "Re: [Fastboot] [PATCH] Reserving backup region for kexec basedcrashdumps."
In reply to: pageexec: "Re: Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer)"
Next in thread: pageexec: "Re: Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* pageexec@xxxxxxxxxxx <pageexec@xxxxxxxxxxx> wrote:

> > You can simulate the overflow itself so no need to find any real
> > application vulnerability, but show me _working code_ (or a convincing
> > description) that can call glibc's do_make_stack_executable() (or the
> > 'many ways of doing this'), _and_ will end up executing your shell code
> > as well.

> the overflow hits field1 and whatever is deemed necessary from
> that point on. i'll do this:
>
> [...]
> [field1 and other locals replaced with shellcode]
> [saved EBP replaced with anything in this case]
> [saved EIP replaced with address of dl_make_stack_executable()]
> [user_input left in place, i.e., overflow ends before this]
> [...]
>
> dl_make_stack_executable() will nicely return into user_input
> (at which time the stack has already become executable).

wrong, _dl_make_stack_executable() will not return into user_input() in
your scenario, and your exploit will be aborted. Check the glibc sources
and the implementation of _dl_make_stack_executable() in particular.

I've also attached the disassembly of _dl_make_stack_executable(), from
glibc-2.3.4-3.i686.rpm.

The sources are at:

http://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS/glibc-2.3.4-3.src.rpm

Ingo

0000ec50 <_dl_make_stack_executable>:
ec50: 55 push %ebp
ec51: ba 0c 00 00 00 mov $0xc,%edx
ec56: 89 e5 mov %esp,%ebp
ec58: 57 push %edi
ec59: 56 push %esi
ec5a: 53 push %ebx
ec5b: 83 ec 10 sub $0x10,%esp
ec5e: 8b 08 mov (%eax),%ecx
ec60: e8 a6 34 00 00 call 1210b <__i686.get_pc_thunk.bx>
ec65: 81 c3 6f 73 00 00 add $0x736f,%ebx
ec6b: 89 45 f0 mov %eax,0xfffffff0(%ebp)
ec6e: 8b bb d0 fc ff ff mov 0xfffffcd0(%ebx),%edi
ec74: 89 54 24 04 mov %edx,0x4(%esp)
ec78: 8b 45 04 mov 0x4(%ebp),%eax
ec7b: f7 df neg %edi
ec7d: 21 cf and %ecx,%edi
ec7f: 89 04 24 mov %eax,(%esp)
ec82: ff 93 94 fe ff ff call *0xfffffe94(%ebx)
ec88: 85 c0 test %eax,%eax
ec8a: 0f 85 da 00 00 00 jne ed6a <_dl_make_stack_executable+0x11a>
ec90: 8b 45 f0 mov 0xfffffff0(%ebp),%eax
ec93: 8b b3 34 ff ff ff mov 0xffffff34(%ebx),%esi
ec99: 39 30 cmp %esi,(%eax)
ec9b: 0f 85 c9 00 00 00 jne ed6a <_dl_make_stack_executable+0x11a>
eca1: 80 bb d4 04 00 00 00 cmpb $0x0,0x4d4(%ebx)
eca8: 0f 84 82 00 00 00 je ed30 <_dl_make_stack_executable+0xe0>
ecae: 8b 83 d0 fc ff ff mov 0xfffffcd0(%ebx),%eax
ecb4: 8d 34 c5 00 00 00 00 lea 0x0(,%eax,8),%esi
ecbb: 8d 3c 38 lea (%eax,%edi,1),%edi
ecbe: 89 f6 mov %esi,%esi
ecc0: 29 f7 sub %esi,%edi
ecc2: 8b 93 14 ff ff ff mov 0xffffff14(%ebx),%edx
ecc8: 81 e2 ff ff ff fe and $0xfeffffff,%edx
ecce: 89 54 24 08 mov %edx,0x8(%esp)
ecd2: 89 74 24 04 mov %esi,0x4(%esp)
ecd6: 89 3c 24 mov %edi,(%esp)
ecd9: e8 22 2a 00 00 call 11700 <__mprotect>
ecde: 85 c0 test %eax,%eax
ece0: 74 de je ecc0 <_dl_make_stack_executable+0x70>
ece2: 8b 83 08 05 00 00 mov 0x508(%ebx),%eax
ece8: 83 f8 0c cmp $0xc,%eax
eceb: 75 3b jne ed28 <_dl_make_stack_executable+0xd8>
eced: 39 b3 d0 fc ff ff cmp %esi,0xfffffcd0(%ebx)
ecf3: 74 5b je ed50 <_dl_make_stack_executable+0x100>
ecf5: 89 f1 mov %esi,%ecx
ecf7: d1 e9 shr %ecx
ecf9: 89 ce mov %ecx,%esi
ecfb: 01 cf add %ecx,%edi
ecfd: 8b 93 14 ff ff ff mov 0xffffff14(%ebx),%edx
ed03: 81 e2 ff ff ff fe and $0xfeffffff,%edx
ed09: 89 54 24 08 mov %edx,0x8(%esp)
ed0d: 89 74 24 04 mov %esi,0x4(%esp)
ed11: 89 3c 24 mov %edi,(%esp)
ed14: e8 e7 29 00 00 call 11700 <__mprotect>
ed19: 85 c0 test %eax,%eax
ed1b: 74 a3 je ecc0 <_dl_make_stack_executable+0x70>
ed1d: 8b 83 08 05 00 00 mov 0x508(%ebx),%eax
ed23: 83 f8 0c cmp $0xc,%eax
ed26: 74 c5 je eced <_dl_make_stack_executable+0x9d>
ed28: 83 c4 10 add $0x10,%esp
ed2b: 5b pop %ebx
ed2c: 5e pop %esi
ed2d: 5f pop %edi
ed2e: 5d pop %ebp
ed2f: c3 ret
ed30: 8b 8b 14 ff ff ff mov 0xffffff14(%ebx),%ecx
ed36: 89 4c 24 08 mov %ecx,0x8(%esp)
ed3a: 8b 93 d0 fc ff ff mov 0xfffffcd0(%ebx),%edx
ed40: 89 3c 24 mov %edi,(%esp)
ed43: 89 54 24 04 mov %edx,0x4(%esp)
ed47: e8 b4 29 00 00 call 11700 <__mprotect>
ed4c: 85 c0 test %eax,%eax
ed4e: 75 27 jne ed77 <_dl_make_stack_executable+0x127>
ed50: 83 8b 34 04 00 00 01 orl $0x1,0x434(%ebx)
ed57: 31 c0 xor %eax,%eax
ed59: 8b 7d f0 mov 0xfffffff0(%ebp),%edi
ed5c: c7 07 00 00 00 00 movl $0x0,(%edi)
ed62: 83 c4 10 add $0x10,%esp
ed65: 5b pop %ebx
ed66: 5e pop %esi
ed67: 5f pop %edi
ed68: 5d pop %ebp
ed69: c3 ret
ed6a: 83 c4 10 add $0x10,%esp
ed6d: b8 01 00 00 00 mov $0x1,%eax
ed72: 5b pop %ebx
ed73: 5e pop %esi
ed74: 5f pop %edi
ed75: 5d pop %ebp
ed76: c3 ret
ed77: 8b 83 08 05 00 00 mov 0x508(%ebx),%eax
ed7d: 83 f8 16 cmp $0x16,%eax
ed80: 75 a6 jne ed28 <_dl_make_stack_executable+0xd8>
ed82: c6 83 d4 04 00 00 01 movb $0x1,0x4d4(%ebx)
ed89: e9 20 ff ff ff jmp ecae <_dl_make_stack_executable+0x5e>
ed8e: 90 nop
ed8f: 90 nop

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Sakellarios Gerakios: "Oops: 0000"
Previous message: Hirokazu Takahashi: "Re: [Fastboot] [PATCH] Reserving backup region for kexec basedcrashdumps."
In reply to: pageexec: "Re: Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer)"
Next in thread: pageexec: "Re: Sabotaged PaXtest (was: Re: Patch 4/6 randomize the stack pointer)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]