How to turn off gcc compiler optimization to enable buffer overflow

后端 未结 6 647
野趣味
野趣味 2020-11-28 01:01

I\'m working on a homework problem that requires disabling compiler optimization protection for it to work. I\'m using gcc 4.4.1 on ubuntu linux, but can\'t figure out which

相关标签:
6条回答
  • 2020-11-28 01:28

    I won't quote the entire page but the whole manual on optimisation is available here: http://gcc.gnu.org/onlinedocs/gcc-4.4.3/gcc/Optimize-Options.html#Optimize-Options

    From the sounds of it you want at least -O0, the default, and:

    -fmudflap -fmudflapth -fmudflapir

    For front-ends that support it (C and C++), instrument all risky pointer/array dereferencing operations, some standard library string/heap functions, and some other associated constructs with range/validity tests. Modules so instrumented should be immune to buffer overflows, invalid heap use, and some other classes of C/C++ programming errors. The instrumentation relies on a separate runtime library (libmudflap), which will be linked into a program if -fmudflap is given at link time. Run-time behavior of the instrumented program is controlled by the MUDFLAP_OPTIONS environment variable. See env MUDFLAP_OPTIONS=-help a.out for its options.

    0 讨论(0)
  • 2020-11-28 01:33

    Try the -fno-stack-protector flag.

    0 讨论(0)
  • 2020-11-28 01:35

    You don't need to disable ASLR in order to do a buffer overflow! Although ASLR is enabled (kernel_randomize_va_space = 2), it will not take effect unless the compiled executable is PIE. So unless you compiled your file with -fPIC -pie flag, ASLR will not take effect.

    I think only disabling the canaries with -fno-stack-protector is enough. If you want to check if ASLR is working or not (Position independent code must be set), use:

    hardening-check executable_name
    
    0 讨论(0)
  • 2020-11-28 01:38

    On newer distros (as of 2016), it seems that PIE is enabled by default so you will need to disable it explicitly when compiling.

    Here's a little summary of commands which can be helpful when playing locally with buffer overflow exercises in general:

    Disable canary:

    gcc vuln.c -o vuln_disable_canary -fno-stack-protector
    

    Disable DEP:

    gcc vuln.c -o vuln_disable_dep -z execstack
    

    Disable PIE:

    gcc vuln.c -o vuln_disable_pie -no-pie
    

    Disable all of protection mechanisms listed above (warning: for local testing only):

    gcc vuln.c -o vuln_disable_all -fno-stack-protector -z execstack -no-pie
    

    For 32-bit machines, you'll need to add the -m32 parameter as well.

    0 讨论(0)
  • 2020-11-28 01:52

    Urm, all of the answers so far have been wrong with Rook's answer being correct.

    Entering:

    echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
    

    Followed by:

    gcc -fno-stack-protector -z execstack -o bug bug.c
    

    Disables ASLR, SSP/Propolice and Ubuntu's NoneXec (which was placed in 9.10, and fairly simple to work around see the mprotect(2) technique to map pages as executable and jmp) should help a little, however these "security features" are by no means infallible. Without the `-z execstack' flag, pages have non-executable stack markings.

    0 讨论(0)
  • 2020-11-28 01:53

    That's a good problem. In order to solve that problem you will also have to disable ASLR otherwise the address of g() will be unpredictable.

    Disable ASLR:

    sudo bash -c 'echo 0 > /proc/sys/kernel/randomize_va_space'
    

    Disable canaries:

    gcc overflow.c -o overflow -fno-stack-protector
    

    After canaries and ASLR are disabled it should be a straight forward attack like the ones described in Smashing the Stack for Fun and Profit

    Here is a list of security features used in ubuntu: https://wiki.ubuntu.com/Security/Features You don't have to worry about NX bits, the address of g() will always be in a executable region of memory because it is within the TEXT memory segment. NX bits only come into play if you are trying to execute shellcode on the stack or heap, which is not required for this assignment.

    Now go and clobber that EIP!

    0 讨论(0)
提交回复
热议问题