Hi,
I am running opensuse 11 with
2.6.25.16-0.1-pae on x86
I want to demonstrate a simple
buffer overflow attack but it
seems x permission has now gone
from the stack so I get a seg
fault.
Is there a kernel parameter I
can modify to allow code to run
on the stack? Will the default
kernel also thwart the attack?
The attack demo is for educational
purposes only.
Thanks.
> The attack demo is for educational
> purposes only.
SURE it is! (Wink wink, nod nod.)
if you are referring to the exploit “Linux vmsplice Local Root”, it was successful on any distro including virtual machines, till a patch that was promptly released around February this year
A screenshot, which shows that a normal user can acquire root privileges simply running the executable from a small portion of code, which was also publicly released, if you want i can give it to you:
http://img253.imageshack.us/img253/9775/vmexploitworkedio0.png
If you patch your machine, whatever distro it is, the exploit will not work any more.
In my case i had 2 CentOS systems, 2 Fedora Virtual Machines and 4 Opensuse. The kernel was updated from 2.6.18-53.1.6 to 2.6.18-53.1.13 for the CentOS and from 2.6.21.2950 to 2.6.21.2957 for the others
After the kernel updates, running the exploit simply returns a “Bad address” error, here is another screenshot, which refers to a Fedora VM: http://img56.imageshack.us/img56/1580/vmexploitdidnotworkzm6.jpg
I am not sure what to change in the kernel in order to have this exploit to work again, anyway you can either downgrade the kernel, or better install some distro released before February 2008 and not patching or updating the kernel, that way the exploit will succeed.
Thanks.
It turns out I need only
boot noexec=off or if I
don’t want system wide
disabling I can manually
turn on X on the stack in
the ELF file itself.
A copy of the vmslice exploit
would be welcome though…
attached here is the code, its in C
