From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29172 invoked by alias); 15 Oct 2007 09:32:30 -0000 Received: (qmail 29164 invoked by uid 22791); 15 Oct 2007 09:32:29 -0000 X-Spam-Check-By: sourceware.org Received: from mx2.redhat.com (HELO mx2.redhat.com) (66.187.237.31) by sourceware.org (qpsmtpd/0.31) with ESMTP; Mon, 15 Oct 2007 09:32:23 +0000 Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l9F9WLUW011839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 15 Oct 2007 05:32:22 -0400 Received: from zebedee.littlepinkcloud.COM (vpn-14-33.rdu.redhat.com [10.11.14.33]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l9F9WJT6031187; Mon, 15 Oct 2007 05:32:19 -0400 Received: from littlepinkcloud.COM (localhost.localdomain [127.0.0.1]) by zebedee.littlepinkcloud.COM (8.13.8/8.13.5) with ESMTP id l9F9WIRm022250; Mon, 15 Oct 2007 10:32:18 +0100 Received: (from aph@localhost) by littlepinkcloud.COM (8.13.8/8.13.5/Submit) id l9F9WHYP022247; Mon, 15 Oct 2007 10:32:17 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18195.13217.200798.500348@zebedee.pink> Date: Mon, 15 Oct 2007 11:14:00 -0000 From: Andrew Haley To: IceDane Cc: gcc-help@gcc.gnu.org Subject: Re: Stack protection mechanisms in 4.0+/4.1.2? In-Reply-To: <4711149D.1040906@gmail.com> References: <4711149D.1040906@gmail.com> X-Mailer: VM 7.19 under Emacs 22.0.93.1 Mailing-List: contact gcc-help-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: Sender: gcc-help-owner@gcc.gnu.org X-SW-Source: 2007-10/txt/msg00183.txt.bz2 IceDane writes: > Hey there. > > A course in my school involves exploitation of various vulnerabilities, > such as buffer overflows and format string vulnerabilities and so on. > > I'm currently running kbuntu, latest version, which comes with gcc 4.1.2 > stock. If I compile a vulnerable program(A simple strcpy of argv[1] to a > small buffer) and then attempt to execute an exploit, no matter what i > do, it fails. > > I realize that the ubuntu gcc 4.1.2 compiles with the -fstack-protector > as default, however, even if I use -fno-stack-protector, the problem > still prevails. > > All kernels since 2.6 also come with virtual address space randomization > as default, and I've disabled that. > > Anyway, I found something that said if you installed gcc 3.3, you'd be > fine. I try that, and voila, exploit executes accordingly. > > Now, I ask - What is it, other than the -fstack-protector flag, which > can disable buffer overflow exploits like that in gcc? I suspect that the stack layout has changed, and so your exploit no longer works. What happened whan you single-stepped through the exploint injection in gdb? Andrew.