* [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe
@ 2003-09-27 16:05 Gabor MICSKO
2003-09-27 18:02 ` Ingo Molnar
0 siblings, 1 reply; 7+ messages in thread
From: Gabor MICSKO @ 2003-09-27 16:05 UTC (permalink / raw)
To: linux-kernel; +Cc: mingo
Kernel:
Linux sunshine 2.6.0-test5-exec-shield-nptl #3 SMP 2003. sze. 27.,
szombat, 13.37.42 CEST i686 GNU/Linux
Test programs:
http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.tgz
http://pageexec.virtualave.net/paxtest-0.9.1.tar.gz
===========================================
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# echo "2" >
/proc/sys/kernel/exec-shield
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# cat
/proc/sys/kernel/exec-shield
2
===========================================
libsafe-2.0-16 (exec-shield full protection):
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./canary-exploit
This program tries to use printf("%n") to overwrite the
return address on the stack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./exploit-non-exec-stack
This program demonstrates how a (stack) buffer overflow
can attack linux kernels with *non-executable* stacks.
This is variation on return-int-libc attack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1w
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3
This program will exec() a new program. The new program will
overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3w
This program will exec() a new program. The new program will
overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4
This program will fork() child process, and the child
will overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
parent process terminating
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4w
This program will fork() child process, and the child
will overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
parent process terminating
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t5
This program tries to use strcat() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t6
This program tries to use scanf() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
===========================================
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# echo "0" >
/proc/sys/kernel/exec-shield
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# cat
/proc/sys/kernel/exec-shield
0
===========================================
libsafe-2.0-16 (exec-shield off):
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./canary-exploit
This program tries to use printf("%n") to overwrite the
return address on the stack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./exploit-non-exec-stack
This program demonstrates how a (stack) buffer overflow
can attack linux kernels with *non-executable* stacks.
This is variation on return-int-libc attack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1w
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3
This program will exec() a new program. The new program will
overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
You have new mail in /var/mail/trey
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3w
This program will exec() a new program. The new program will
overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4
This program will fork() child process, and the child
will overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
parent process terminating
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t5
This program tries to use strcat() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t6
This program tries to use scanf() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
*********************************************************************
===========================================
sunshine:/home/trey/exec/paxtest-0.9.1# echo "2" >
/proc/sys/kernel/exec-shield
sunshine:/home/trey/exec/paxtest-0.9.1# cat /proc/sys/kernel/exec-shield
2
===========================================
paxtest-0.9.1 (exec-shield full protection):
trey@sunshine:~/exec/paxtest-0.9.1$ ./paxtest
It may take a while for the tests to complete
Test results:
Executable anonymous mapping : Killed
Executable bss : Vulnerable
Executable data : Vulnerable
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : 8 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 13 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 12 bits (guessed)
Shared library randomisation test : 12 bits (guessed)
Stack randomisation test (SEGMEXEC) : 17 bits (guessed)
Stack randomisation test (PAGEEXEC) : 17 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (memcpy) : Vulnerable
Executable shared library bss : Vulnerable
Executable shared library data : Vulnerable
Writable text segments : Vulnerable
===========================================
sunshine:/home/trey/exec/paxtest-0.9.1# echo "0" >
/proc/sys/kernel/exec-shield
sunshine:/home/trey/exec/paxtest-0.9.1# cat /proc/sys/kernel/exec-shield
0
===========================================
paxtest-0.9.1 (exec-shield off):
trey@sunshine:~/exec/paxtest-0.9.1$ ./paxtest
It may take a while for the tests to complete
Test results:
Executable anonymous mapping : Vulnerable
Executable bss : Vulnerable
Executable data : Vulnerable
Executable heap : Vulnerable
Executable stack : Vulnerable
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : No randomisation
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : No randomisation
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : No randomisation
Return to function (strcpy) : Vulnerable
Return to function (memcpy) : Vulnerable
Executable shared library bss : Vulnerable
Executable shared library data : Vulnerable
Writable text segments : Vulnerable
-----------------------------------------
#EOF
--
Windows not found
(C)heers, (P)arty or (D)ance?
-----------------------------------
Micskó Gábor
Compaq Accredited Platform Specialist, System Engineer (APS, ASE)
Szintézis Computer Rendszerház Rt.
H-9021 Győr, Tihanyi Árpád út 2.
Tel: +36-96-502-216
Fax: +36-96-318-658
E-mail: gmicsko@szintezis.hu
Web: http://www.hup.hu/
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe
2003-09-27 16:05 [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe Gabor MICSKO
@ 2003-09-27 18:02 ` Ingo Molnar
2003-09-27 18:13 ` Breno
2003-09-27 20:17 ` Gabor MICSKO
0 siblings, 2 replies; 7+ messages in thread
From: Ingo Molnar @ 2003-09-27 18:02 UTC (permalink / raw)
To: Gabor MICSKO; +Cc: linux-kernel
On Sat, 27 Sep 2003, Gabor MICSKO wrote:
> Kernel:
> Linux sunshine 2.6.0-test5-exec-shield-nptl #3 SMP 2003. sze. 27.,
> szombat, 13.37.42 CEST i686 GNU/Linux
thanks for the testing. The ELF loader changes had a bug which ended up in
creating an extra executable page after .bss, failing some of the tests.
I've fixed this, could you try the -G3 patch?:
redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-G3
redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-bk12-G3
Ingo
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe
2003-09-27 18:02 ` Ingo Molnar
@ 2003-09-27 18:13 ` Breno
2003-09-27 20:17 ` Gabor MICSKO
1 sibling, 0 replies; 7+ messages in thread
From: Breno @ 2003-09-27 18:13 UTC (permalink / raw)
To: Ingo Molnar, Gabor MICSKO; +Cc: linux-kernel
something like this:
www.bandnet.com.br/~breno_silva/Kernel_linux/sec_stack.c
www.bandnet.com.br/~breno_silva/Kernel_linux/sec_stack1.1v.c
att,
Breno
----- Original Message -----
From: "Ingo Molnar" <mingo@elte.hu>
To: "Gabor MICSKO" <gmicsko@szintezis.hu>
Cc: <linux-kernel@vger.kernel.org>
Sent: Saturday, September 27, 2003 3:02 PM
Subject: Re: [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe
>
> On Sat, 27 Sep 2003, Gabor MICSKO wrote:
>
> > Kernel:
> > Linux sunshine 2.6.0-test5-exec-shield-nptl #3 SMP 2003. sze. 27.,
> > szombat, 13.37.42 CEST i686 GNU/Linux
>
> thanks for the testing. The ELF loader changes had a bug which ended up in
> creating an extra executable page after .bss, failing some of the tests.
> I've fixed this, could you try the -G3 patch?:
>
> redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-G3
> redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-bk12-G3
>
> Ingo
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe
2003-09-27 18:02 ` Ingo Molnar
2003-09-27 18:13 ` Breno
@ 2003-09-27 20:17 ` Gabor MICSKO
2003-09-27 20:24 ` Onstream DI-30 locks up PC when in use Stef van der Made
2003-09-27 20:30 ` [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe Ingo Molnar
1 sibling, 2 replies; 7+ messages in thread
From: Gabor MICSKO @ 2003-09-27 20:17 UTC (permalink / raw)
To: Ingo Molnar; +Cc: linux-kernel
2003-09-27, szo keltezéssel Ingo Molnar ezt írta:
> thanks for the testing. The ELF loader changes had a bug which ended up in
> creating an extra executable page after .bss, failing some of the tests.
> I've fixed this, could you try the -G3 patch?:
>
> redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-G3
> redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-bk12-G3
Yes, this patch really better.
Kernel:
Linux sunshine 2.6.0-test5-exec-shield-nptl #3 SMP 2003. sze. 27.,
szombat, 21.48.27 CEST i686 GNU/Linux
Exec-shield patch:
http://redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-G3
Test programs:
http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.tgz
http://pageexec.virtualave.net/paxtest-0.9.1.tar.gz
===========================================
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# echo "2" >
/proc/sys/kernel/exec-shield
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# cat
/proc/sys/kernel/exec-shield
2
===========================================
libsafe-2.0-16 (exec-shield full protection):
---------------------------------------------------------------------
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# ./canary-exploit
This program tries to use printf("%n") to overwrite the
return address on the stack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
sunshine:/home/trey/exec/libsafe-2.0-16/exploits#
---------------------------------------------------------------------
---------------------------------------------------------------------
sunshine:/home/trey/exec/libsafe-2.0-16/exploits#
./exploit-non-exec-stack
This program demonstrates how a (stack) buffer overflow
can attack linux kernels with *non-executable* stacks.
This is variation on return-int-libc attack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
sunshine:/home/trey/exec/libsafe-2.0-16/exploits#
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1w
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3
This program will exec() a new program. The new program will
overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3w
This program will exec() a new program. The new program will
overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4
This program will fork() child process, and the child
will overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
parent process terminating
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4w
This program will fork() child process, and the child
will overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
parent process terminating
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t5
This program tries to use strcat() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t6
This program tries to use scanf() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
Szegmens hiba
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
===========================================
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# echo "0" >
/proc/sys/kernel/exec-shield
sunshine:/home/trey/exec/libsafe-2.0-16/exploits# cat
/proc/sys/kernel/exec-shield
0
===========================================
libsafe-2.0-16 (exec-shield off):
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./canary-exploit
This program tries to use printf("%n") to overwrite the
return address on the stack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./exploit-non-exec-stack
This program demonstrates how a (stack) buffer overflow
can attack linux kernels with *non-executable* stacks.
This is variation on return-int-libc attack.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t1w
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3
This program will exec() a new program. The new program will
overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
You have new mail in /var/mail/trey
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t3w
This program will exec() a new program. The new program will
overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t4
This program will fork() child process, and the child
will overflow the buffer using strcpy().
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
parent process terminating
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t5
This program tries to use strcat() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
---------------------------------------------------------------------
trey@sunshine:~/exec/libsafe-2.0-16/exploits$ ./t6
This program tries to use scanf() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...
sh-2.05b$ exit
exit
trey@sunshine:~/exec/libsafe-2.0-16/exploits$
---------------------------------------------------------------------
*********************************************************************
===========================================
sunshine:/home/trey/exec/paxtest-0.9.1# echo "2" >
/proc/sys/kernel/exec-shield
sunshine:/home/trey/exec/paxtest-0.9.1# cat /proc/sys/kernel/exec-shield
2
===========================================
paxtest-0.9.1 (exec-shield full protection):
sunshine:/home/trey/exec/paxtest-0.9.1# ./paxtest
It may take a while for the tests to complete
Test results:
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 13 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 12 bits (guessed)
Shared library randomisation test : 12 bits (guessed)
Stack randomisation test (SEGMEXEC) : 17 bits (guessed)
Stack randomisation test (PAGEEXEC) : 17 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (memcpy) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Vulnerable
===========================================
sunshine:/home/trey/exec/paxtest-0.9.1# echo "0" >
/proc/sys/kernel/exec-shield
sunshine:/home/trey/exec/paxtest-0.9.1# cat /proc/sys/kernel/exec-shield
0
===========================================
paxtest-0.9.1 (exec-shield off):
sunshine:/home/trey/exec/paxtest-0.9.1# ./paxtest
It may take a while for the tests to complete
Test results:
Executable anonymous mapping : Vulnerable
Executable bss : Vulnerable
Executable data : Vulnerable
Executable heap : Vulnerable
Executable stack : Vulnerable
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : No randomisation
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : No randomisation
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : No randomisation
Return to function (strcpy) : Vulnerable
Return to function (memcpy) : Vulnerable
Executable shared library bss : Vulnerable
Executable shared library data : Vulnerable
Writable text segments : Vulnerable
-----------------------------------------
#EOF
--
Windows not found
(C)heers, (P)arty or (D)ance?
-----------------------------------
Micskó Gábor
Compaq Accredited Platform Specialist, System Engineer (APS, ASE)
Szintézis Computer Rendszerház Rt.
H-9021 Győr, Tihanyi Árpád út 2.
Tel: +36-96-502-216
Fax: +36-96-318-658
E-mail: gmicsko@szintezis.hu
Web: http://www.hup.hu/
^ permalink raw reply [flat|nested] 7+ messages in thread* Onstream DI-30 locks up PC when in use
2003-09-27 20:17 ` Gabor MICSKO
@ 2003-09-27 20:24 ` Stef van der Made
2003-09-28 10:20 ` Ookhoi
2003-09-27 20:30 ` [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe Ingo Molnar
1 sibling, 1 reply; 7+ messages in thread
From: Stef van der Made @ 2003-09-27 20:24 UTC (permalink / raw)
To: linux-kernel
Dear Everybody,
I'm trying to get my DI-30 Onstream tapedrive to work. Some pacthes were
put inot linux 2.6-test5. When I bootup it recognizes the drive :-)))
but when I try to use the drive it locks up my PC immediatly.
I've updated the bug on bugzilla
"http://bugzilla.kernel.org/show_bug.cgi?id=967"
but got no reply yet. Are there more people trying to get this drive to
work and if yes what are your experiences with this drive and 2.6 test5
Cheers
Stef
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe
2003-09-27 20:17 ` Gabor MICSKO
2003-09-27 20:24 ` Onstream DI-30 locks up PC when in use Stef van der Made
@ 2003-09-27 20:30 ` Ingo Molnar
1 sibling, 0 replies; 7+ messages in thread
From: Ingo Molnar @ 2003-09-27 20:30 UTC (permalink / raw)
To: Gabor MICSKO; +Cc: linux-kernel
On Sat, 27 Sep 2003, Gabor MICSKO wrote:
> > redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-G3
> > redhat.com/~mingo/exec-shield/exec-shield-2.6.0-test5-bk12-G3
>
> Yes, this patch really better.
> Linux sunshine 2.6.0-test5-exec-shield-nptl #3 SMP 2003. sze. 27.,
> http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.tgz
[all libsafe exploits fail - good.]
> http://pageexec.virtualave.net/paxtest-0.9.1.tar.gz
> sunshine:/home/trey/exec/paxtest-0.9.1# ./paxtest
> It may take a while for the tests to complete
> Test results:
> Executable anonymous mapping : Killed
> Executable bss : Killed
> Executable data : Killed
> Executable heap : Killed
> Executable stack : Killed
ok.
> Executable anonymous mapping (mprotect) : Killed
this is a testsuite bug i think - anonmap.c mprotanon.c differ in nothing
but the name string of the test.
> Executable bss (mprotect) : Vulnerable
> Executable data (mprotect) : Vulnerable
> Executable heap (mprotect) : Vulnerable
> Executable shared library bss (mprotect) : Vulnerable
> Executable shared library data (mprotect): Vulnerable
> Executable stack (mprotect) : Vulnerable
these are 'vulnerable' by design. There can be legitimate reasons to
mprotect() any of these regions. And if an attacker has enough control
over the target to execute mprotect() with precise arguments then the game
is mostly over anyway. Does anyone know the rationale of these mprotect()
tests?
> Return to function (strcpy) : Vulnerable
> Return to function (memcpy) : Vulnerable
it needs gcc level changes to change the stackframe layout - out of the
scope of exec-shield.
> Writable text segments : Vulnerable
this is a variant of the mprotect() tests too - so possible by design.
Ingo
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-09-28 10:20 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-09-27 16:05 [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe Gabor MICSKO
2003-09-27 18:02 ` Ingo Molnar
2003-09-27 18:13 ` Breno
2003-09-27 20:17 ` Gabor MICSKO
2003-09-27 20:24 ` Onstream DI-30 locks up PC when in use Stef van der Made
2003-09-28 10:20 ` Ookhoi
2003-09-27 20:30 ` [Test] exec-shield-2.6.0-test5-G2 vs. paxtest & libsafe Ingo Molnar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).