Data execution prevention: How to disable it?

ISharma · August 5, 2010, 8:41am

Hello!
I’m testing some shellcodes and I keep getting segmentation fault error. I suspect that this is because of data execution prevention feature, but I couldn’t find the file related to it. Can someone tell me how to disable it?

hcvv · August 5, 2010, 12:23pm

It is the Kernel doing this and it is one of the basic error preventions in any operating system. IMHO you can not switch this off (except by rewriting the Kernel).

When you mean with “shellcodes” that you have a shell (probably bash) script getting this, I am also of the opinion that this should not happen whatever statements you have there. In other words this is a bug. It could also be that it is not happening in bash, but in a tool/program you call from the script, in that case it is of course a bug in that tool.

ISharma · August 5, 2010, 12:53pm

I thought that this should be possible. I found this article Linux Disable or Enable ExecShield Buffer Overflows Protection
However, I don’t know if it works on Opensuse or not. I wanted to ask whether it’s safe before trying it out.

Looks like I’ve to test the legacy shellcodes on Redhat Linux 9 only (:

hcvv · August 5, 2010, 2:04pm

Thanks for not providing the information of your last post in post #1 :sarcastic:.

The following might be a bit silly because the steps I took are so obviuous that you will have done them also. But they might be of interest to others reading this thread, so that they have not to take these steps also.

I took a glance at the article you link to and saw that it used sysctl to manage the kernel parameter kernel.exec-shield.

I did

man sysctl

and fount that

sysctl -a

will give you all the parameters that can be changed with sysctl.

I found that there is no parameter* kernel.exec-shield* on my system (openSUSE 11.2 with Kernel 2.6.33-rc2-0.1-desktop).

I also glanced through the Wikipedia article your link is linking to. There is no mention there that the Kernel patch ever went upstream to be incorporated into the mainstream Kernel. Thus I suppose it is a RedHat only feature.

ISharma · August 5, 2010, 4:04pm

I wonder how should I take it?..sorry holds ears too

I’ll do some tests on my system and report back. Perhaps it might help someone in the future.

ISharma · August 5, 2010, 5:00pm

Just wanted to say that I wasn’t being impolite here. I was really sorry.
Apologies if that sentence might have hurt you. (English isn’t my primary language)

hcvv · August 5, 2010, 5:45pm

You did not hurt me. If I am a bit nasty, you may be also of course

I am always a bit frustrated when people provide as less information as possible when thy start a thread. Instead they should of course provide the maximum amount. Especialy when this is about a subject that does not make a daily appearance here (which you have no doubt tested using the search function before you started the new thread). Or where you are sure that most of your fellow users are not doing the things you are trying.

We are allways willing to help in our spare time, but when we have to use that spare time by going to look for “shellcodes” and “data execution prevention feature” on the Internet, where you most probably have these knowledge (or at least the links to it) at hand we often get a bit sour.

I hope that apart from my sarcastic remark, you have seen the information I found on the subject and my interpretation of it. You could go to The Linux Kernel Archives, but I am afraid that it will be a bit difficult to find information a bout your subject. And of course using Google and friends may give you the answers you want. In any case, this feature is not now in openSUSE as far as I can deduct.

And to finish this, your english is not that bad at all. BTW it is also not my native language. I see you most probably are from Bharat. Thus: नमस्ते

ISharma · August 5, 2010, 6:29pm

Yes, I’m from India.
Thanks, you’ve been very helpful.

As a side note, can someone run this code on their system (Opensuse 11.2)? Just wanted to make sure that I’m not going in the wrong direction. If it works properly then the program should just exit (it’s an exit shellcode), otherwise it’ll give segmentation fault (which confirms that Opensuse uses DEP and is a good thing ).
Try compiling it with and without ‘-mpreferred-stack-boundary=2’ option.
$gcc -mpreferred-stack-boundary=2 -o exit exit.c

and

$gcc -o exit.c


#include<stdio.h>
char shellcode] = "\xbb\x00\x00\x00\x00"
                   "\xb8\x01\x00\x00\x00"
                   "\xcd\x80";
int main()
{
  int *ret;
  ret = (int *)&ret+2;
  (*ret)=(int)shellcode;
}

hcvv · August 5, 2010, 7:16pm

henk@boven:~/sharma> vi exit.c
henk@boven:~/sharma> gcc -mpreferred-stack-boundary=2 -o exit exit.c
henk@boven:~/sharma> l
totaal 24
drwxr-xr-x  2 henk wij  4096 aug  5 19:11 ./
drwxr-xr-x 75 henk wij  4096 aug  5 19:10 ../
-rwxr-xr-x  1 henk wij 10045 aug  5 19:11 exit*
-rw-r--r--  1 henk wij   208 aug  5 19:10 exit.c
henk@boven:~/sharma> ./exit
Segmentatiefout
henk@boven:~/sharma> gcc -o exit.c
gcc: no input files
henk@boven:~/sharma> gcc -o exit exit.c
henk@boven:~/sharma> ./exit
Segmentatiefout
henk@boven:~/sharma>

I think the above needs no further explanation. Including the fact that I added the word exit in the second gcc step.

And I suppose your Dutch is at least as good as my Hindi and thus you will understand what Segmentatiefout means. rotfl!

ISharma · August 5, 2010, 7:53pm

Dank u!
I was stuck at this point for the past 3 days. Now I know the exact reason the shellcode wasn’t working.

hcvv · August 5, 2010, 8:03pm

I am glad I could help you. And your Dutch is realy very good!

ISharma · August 5, 2010, 8:23pm

Haha!
vertalen google helpt altijd.

hcvv · August 5, 2010, 8:57pm

lol! lol! lol!

vodoo · August 5, 2010, 10:28pm

I think the above needs no further explanation.

I am referring to henk’s post above (post#9). When you try the same on openSUSE 11.1 32Bit the following happens:

vodoo@hal:~/test> uname -a
Linux hal 2.6.27.45-0.1-default #1 SMP 2010-02-22 16:49:47 +0100 i686 i686 i386 GNU/Linux
vodoo@hal:~/test> ls -l
insgesamt 4
-rw-r--r-- 1 vodoo users 208  5. Aug 22:11 exit.c
vodoo@hal:~/test> gcc -mpreferred-stack-boundary=2 -o exit exit.c
vodoo@hal:~/test> ls -l
insgesamt 16
-rwxr-xr-x 1 vodoo users 10761  5. Aug 22:15 exit
-rw-r--r-- 1 vodoo users   208  5. Aug 22:11 exit.c
vodoo@hal:~/test> ./exit
Speicherzugriffsfehler
vodoo@hal:~/test> rm exit
vodoo@hal:~/test> gcc -o exit exit.c
vodoo@hal:~/test> ls -l
insgesamt 16
-rwxr-xr-x 1 vodoo users 10761  5. Aug 22:16 exit
-rw-r--r-- 1 vodoo users   208  5. Aug 22:11 exit.c
vodoo@hal:~/test> ./exit
vodoo@hal:~/test>

ISharma · August 5, 2010, 11:27pm

@vodoo
Your output shows that when compiled with -mprefereed-stack-boundary=2 option we get a segmentation fault. This could either be due to non-executable stack or return address pointing to an address outside of my code’s scope.

When compiled without this option, it looks like the code executes. However, I can’t say for sure whether the return address was overwritten or not as the stack boundary is now different. Whenever I change this line in source code [ret = (int *)&ret+2;] to [ret = (int *)&ret+1;] or [ret = (int *)&ret+3;] i.e just change the offset the program terminates normally. This is most probably because the return address isn’t overwritten at all.
However, I don’t have Opensuse 11.1 and I can’t test it.
It would’ve been clear by now that I’m learning exploitation and trying some old shellcodes. Majority of the ‘old’ exploits (like the one I just posted) don’t work on present day OSes because of non-executable stacks. However, I’m new in all of this and I often find this stuff confusing and get stuck at some point or the other.

I know you didn’t want to know this, I just posted incase someone else might check this thread later and find this info. useful.

ISharma · August 5, 2010, 11:29pm

Note: I didn’t intend to use smiley’s. It got in because the code ended with ;’)<–Obviously, without the apostrophe in between.