stack execution protection and randomization on ubuntu

Question

As part of a course assignment i need to write an exploit code to cause a buffer overflow and execute code that is present on stack.

I have turned off the stack randomiztion by the following command: sysctl -w kernel.randomize_va_space=0 However, i am unable to find a way to turn off the stack execution protection. I am not sure whether there is some stack exec protection in ubuntu or not... so my first question is whether there is something like red hat's exec-shield in ubuntu 8.10 and if there is, how can we turn it off.

I have been trying to cause a buffer overflow and execute instruction from stack, but whenever i try to do so, it gives me a seg fault.

i ve got ubuntu 8.10 64 bit, HOWEVER, the program im debugging is compiled on an i386 machine with stack protection turned off.

Answer 1

You probably want to compile with the -z execstack flag in your GCC compilation, along with -fno-stack-protector (to disable GCC's SSP/Propolice stack protection), i.e:

gcc -fno-stack-protector -z execstack -o vuln vuln.c

Everything should probably turn out jake after this. Note that sysctl -w kernel.randomize_va_space=0 is just address space randomization, and not stack protection, per-se; which may be brute forced against using a variety of techniques.

Answer 2

These programs can often be exploited without executable stacks. If the victim is compiled without executable stack, consider return-oriented programming as an exploit technique.

http://en.wikipedia.org/wiki/Return-oriented_programming