Advertisement

Executing remote programs using C

Started by January 05, 2005 06:03 PM
13 comments, last by Winograd 19 years, 10 months ago
Quote: Original post by doynax
Quote: Original post by Winograd
Is the new process and it's data and bss sections allocated to the same pages than the old process? I mean that if the old process had written something to address x and the new process has not overwritten it yet, then can it be recovered by the new process? This is probably highly dependant on the implementation of the exec family functions (and/or kernel)... but let's say we are on gnu/linux 2.6, an we have sufficiently new glibc (>=2.3)..
No, you normally don't get to keep the memory contents. However you can flag a memory area as inheritable when allocating it (specify MAP_INHERIT to mmap() calls).


Ok.. altough GNU libc does not document such flag (MAP_INHERIT).

So basicly, I could write some shellcode (refering to buffer overflow thread) into inheritable page. Set that page all the permissions I want. Then I would use exec to replace my exploitation process with the vulnerable process and overflow the stack and point the return address to the inherited page where my shellcode is located at. Correct?
Quote: Original post by Winograd
Ok.. altough GNU libc does not document such flag (MAP_INHERIT).
It's not a libc function and I don't know which flags are specified by posix eighter. I only have access to a BSD system right now so you'll have to check the manual page for mmap or do some googling for the equivalent on your system.

Quote: Original post by Winograd
So basicly, I could write some shellcode (refering to buffer overflow thread) into inheritable page. Set that page all the permissions I want. Then I would use exec to replace my exploitation process with the vulnerable process and overflow the stack and point the return address to the inherited page where my shellcode is located at. Correct?
Yes, but that seems kinda pointless though. Unless the binary has SUID root permissions or something..
And don't forget PROT_EXEC (hopefully standard..) since you want to execute code in it.
Advertisement
Quote: Original post by doynax
Quote: Original post by Winograd
Ok.. altough GNU libc does not document such flag (MAP_INHERIT).
It's not a libc function and I don't know which flags are specified by posix eighter. I only have access to a BSD system right now so you'll have to check the manual page for mmap or do some googling for the equivalent on your system.
Well, it is part of _GNU_ libc.. atleast info pages of GLIBC 2.3 describe it under MemoryMapped I/O. And I did check the man pages obviously.. there it was documanted also without the MAP_INHERIT.. the header file where the other flags are defined does not contain such flag, so I doubt that it is available under linux system at all (BSD spesific?).
Quote: Original post by doynax
Quote: Original post by Winograd
So basicly, I could write some shellcode (refering to buffer overflow thread) into inheritable page. Set that page all the permissions I want. Then I would use exec to replace my exploitation process with the vulnerable process and overflow the stack and point the return address to the inherited page where my shellcode is located at. Correct?
Yes, but that seems kinda pointless though. Unless the binary has SUID root permissions or something..

True. But there are many programs that often have SUID flag, such as X.
Quote: Original post by doynax
And don't forget PROT_EXEC (hopefully standard..) since you want to execute code in it.
Yes, thats what I meant when saying "Set that page all the permissions I want."


Quote: Original post by Winograd
Well, it is part of _GNU_ libc.. atleast info pages of GLIBC 2.3 describe it under MemoryMapped I/O. And I did check the man pages obviously.. there it was documanted also without the MAP_INHERIT.. the header file where the other flags are defined does not contain such flag, so I doubt that it is available under linux system at all (BSD spesific?).

While that particular flag might not be implemented there might (should?) exist some equivalent operation.
GNU libc's mmap() function is little more than a thin wrapper around a specific system call. And on top of that one that depends heavily on what features the CPU itself provides (disallowing code execution in readable pages is a good example).
Unfortunately my man page doesn't specify a minimum set of "guaranteed" operations. Maybe posix gave up and marked the whole function as non-standard?

Note that normally you'd use the shared memory interface (shmget) for communicating through raw memory buffers. But I don't see how you could run any buffer overrun exploits through those.
Quote: Original post by Winograd
True. But there are many programs that often have SUID flag, such as X.
Whoa.. Maybe I'm just old fashioned but my x-server doesn't have SUID permissions.
The only time I've dealt with them in the past has been to allow executing svgalib applications in user-mode, and even seems very risky on multi-user machines.
But then again I'm hardly a Unix expert, especially not on administrating secure multi-user machines.
Quote: Original post by Winograd
Quote: Original post by doynax
And don't forget PROT_EXEC (hopefully standard..) since you want to execute code in it.
Yes, thats what I meant when saying "Set that page all the permissions I want."
Sorry, I must've missed that part ;)
Quote: Original post by doynax
Whoa.. Maybe I'm just old fashioned but my x-server doesn't have SUID permissions.
The only time I've dealt with them in the past has been to allow executing svgalib applications in user-mode, and even seems very risky on multi-user machines.
But then again I'm hardly a Unix expert, especially not on administrating secure multi-user machines.

Yep, either is mine. But by default XFree86 seems to install itself as SUID.

This topic is closed to new replies.

Advertisement