Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: non-executable stacks

non-executable stacks

From: Ghaith Nasrawi <libero_at_aucegypt.edu>
Date: Sun, 14 Nov 2004 21:33:45 +0000

Hey folks,

I'm sorry if this question was asked before in this mailing list, but
I couldn't find useful information about it everywhere else.

Currently, I'm working on Linux 2.6.9-1.667 under Fedora Core 3, and
the way to trigger on/off the stack protection is by setting/unsetting
"/proc/sys/kernel/exec-shield".

Q: Is it possible to change the value of that variable during the
course of executing a process, and therefore you'd have the stack as
an executable one? (Now, I'm assuming that process has unlimited
privileges).

The problem is in order to change that value, we need to overwrite the
EIP with our variable modifier! Then, we can lay back and have the
stack wide open.

It goes like a cycle of dependancies ...

Any ideas? workarounds?

g.

"Our care should not be to have lived long as to have lived enough.",
Seneca
Received on Nov 15 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos