At 09:51 PM 8/29/2001, Antonomasia wrote: >I've been attempting a white-hat "exploit" to run some demo code >on the stack on Solaris. The aim is to show whether the non-executable >stack is in force (and the /etc/system file may not be a reliable guide >to this if modified since last boot or something). > >So ideally I'd take a Solaris/sparc shellcode and modify "sh" to "id" >and plant this in a program that deliberately overflows itself. And this >will be run on various machines periodically. nice idea... so you want to check if your boxes are still in non-executable-stack state? but you should write the "shellcode" on your own to fit your purposes. you don't need a shellcode. >My problems arise when: > > Having got "execution" of the illegal string "AAAAAAAA" I replace > it with downloaded shellcode and this disturbs the exploit so it > needs some adjustment. I get a core dump from either SEGV or BUS > and in trying to find the program state with gdb it throws garbage > over the screen and is not recovered by "stty sane" or "reset". > I suppose I could wrap gdb in perl and allow only filtered chars to > my terminal. What do other people do about this ? > > Execution on a non-executable stack gets a SEGV. Is there a way > the program can distinguish this from any other SEGV ? why don't you try this one: it would be enough to call exit(1) in the "shellcode". so if the code on the stack gets executed, the program will return 1 (== shell false). install a signal(SIGSEGV) and signal(SIGBUS) handler that will exit(0); good idea? cheerz corecode -- http://www.eikon.tum.de/~simons/security/
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 08:21:40 PDT