我的问题很容易解释!
易受攻击的程序能够在堆栈中执行shellcode:
(with gdb)
0xbffff6f3: push ...
=> 0xbffff6f8: jns ...
但是,堆栈标记为NOT executable:
(vmmap)
...
b7fff000-b8000000 rw-p 0001c000 08:01 525141 /lib/i386-linux-gnu/ld-2.13.so
bffdf000-c0000000 rw-p 00000000 00:00 0 [stack]
怎么可能? 我不知道在哪里看。你知道吗?
谢谢。 Jc!
可能有用:
jc@kali:~/init$ uname -a
Linux kali 3.18.0-kali1-586 #1 Debian 3.18.3-1~kali4 (2015-01-22) i686 GNU/Linux
jc@kali:~/init$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/i486-linux-gnu/4.7/lto-wrapper
Target: i486-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.7.2-5' --with-bugurl=file:///usr/share/doc/gcc-4.7/README.Bugs --enable-languages=c,c++,go,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.7 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.7 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --enable-objc-gc --enable-targets=all --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu
Thread model: posix
gcc version 4.7.2 (Debian 4.7.2-5)