PaX和缓冲区溢出

时间:2011-06-16 12:14:51

标签: c linux-kernel buffer-overflow pax

是否可能在linux中溢出内存中具有PaX的缓冲区。我想通过使用正确的输入更改返回地址来利用可执行文件。我正在使用Ubuntu 10.04并使用paxtest测试它,但我不知道结果意味着什么。这是我的系统中paxtest的结果:

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Vulnerable
Executable bss (mprotect)                : Vulnerable
Executable data (mprotect)               : Vulnerable
Executable heap (mprotect)               : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect)              : Vulnerable
Anonymous mapping randomisation test     : 12 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 14 bits (guessed)
Main executable randomisation (ET_EXEC)  : 12 bits (guessed)
Main executable randomisation (ET_DYN)   : 12 bits (guessed)
Shared library randomisation test        : 12 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Vulnerable
Executable shared library data           : Killed
Writable text segments                   : Vulnerable

1 个答案:

答案 0 :(得分:1)

是的,你可以。见行:

    Return to function (strcpy)              : Vulnerable
    Return to function (strcpy, RANDEXEC)    : Vulnerable
唉,我的学校项目是使用grsecurity防止这种漏洞。 PaX没有阻止我覆盖返回地址。