hi there ! I was wondering if the current kernels (=>2.6.12) have some kind of additional memory protection addded. Specifically, I'm trying to read from the process memory of another process (using gdb) which works just fine on kernel version up to (and including) 2.6.11. (This is inevitable for me since I'm currently playing with format string vulnerabilities to understand these kind of attacks.) I would like to know how to turn the mentioned protection off. If it is not possible, it would be great to get some hint which kernel code I would have to patch/modify to turn it off ;)
Here's some example of what I'm trying to do: ---------------------- kernel 2.6.11 ---------------------- [green format_auto]$ ./myshell Using address: 0xbffff818 bash-2.05b$ gdb -q (gdb) exec-file ./myshell (gdb) file myshell Reading symbols from myshell...done. Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) break *main Breakpoint 1 at 0x80484d3 (gdb) run Starting program: /home/seclab/format_auto/myshell Breakpoint 1, 0x080484d3 in main () (gdb) x/10x 0xbffff818 0xbffff818: 0x65687379 0x4c006c6c 0x41505f43 0x3d524550 0xbffff828: 0x415f6564 0x454c0054 0x454b5353 0x652f3d59 0xbffff838: 0x2e2f6374 0x7373656c (gdb) ----------------------------------------------------------- As you can see reading from the shells process memory (0xbffff818 is the address of an environment variable) works just fine. Here's what happens if I try the same with a newer kernel: ---------------------- kernel 2.6.12 ---------------------- phyrex:~/work/format_auto$ ./myshell Using address: 0xbfa6f358 phyrex:~/work/format_auto$ gdb -q --exec=./myshell (gdb) file myshell Reading symbols from /home/seclab/work/format_auto/myshell...done. Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) break *main Breakpoint 1 at 0x80484d3 (gdb) run Starting program: /home/seclab/format_auto/myshell Breakpoint 1, 0x080484d3 in main () (gdb) x/10x 0xbfa6f358 0xbfa6f358: Cannot access memory at address 0xbfa6f358 (gdb) x/x 0xbfa6f358 0xbfa6f358: Cannot access memory at address 0xbfa6f358 ----------------------------------------------------------- Sometimes instead of the "Cannot access memory at address ..." gdb tries to show the content of the address, unfortunately not the real content: ----------------------------------------------------------- (gdb) x/x 0xbfc47629 0xbfc47629: 0x00000000 ----------------------------------------------------------- Any help is greatly appreciated ;) Sincerly, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
