标签:
What is NX Bit?
Its an exploit mitigation technique which makes certain areas of memory non executable and makes an executable area, non writable. Example: Data, stack and heap segments are made non executable while text segment is made non writable.
列出一个elf程序的头信息
readelf -l vuln
How to bypass NX bit and achieve arbitrary code execution?
NX bit can be bypassed using an attack technique called “return-to-libc”. Here return address is overwritten with a particular libc function address (instead of stack address containing the shellcode). For example if an attacker wants to spawn a shell, he overwrites return address with system() address and also sets up the appropriate arguments required by system() in the stack, for its successful invocation.
使用ldd命令可以查看目标程序调用的so库。
防止程序获得root权限
//vuln_priv.c
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[]) {
char buf[256];
seteuid(getuid()); /* Temporarily drop privileges */ strcpy(buf,argv[1]);
printf("%s\n",buf);
fflush(stdout);
return 0;
}对于这种程序,我们可以通过如下调用获取root
linux(x86) exploit 开发系列4:使用return2libc绕过NX
标签:
原文地址:http://www.cnblogs.com/junmoxiao/p/5294241.html
