In this case, the target of my clobbered return address is on the stack (in the stack local character buffer), so this is exactly what NX/XD is intended to prevent.
-----Original Message----- From: Michael Loftis <[email protected]> To: [email protected] Sent: Sun, Oct 10, 2010 1:08 pm Subject: Re: non-executable stack (via PT_GNU_STACK) not being enforced --On Sunday, October 10, 2010 9:53 AM -0400 Brchk05 <[email protected]> wrote: > > > > I am running Debian 2.6.26-21lenny4 and I am puzzled by an issue with the > enforcement of page permissions. I have written a simple program with a > basic buffer overflow and compiled two versions using gcc: one with -z > execstack and another with -z noexecstack. > > I could be wrong as I haven't looked at the whole NX/XD thing in detail, been a while since I've actively done anything of the sort, but, it would seem to me smashing is not the same as executing on the stack necessarily. Overwriting/changing returns on the stack via a smash, or clobbering code via a smash won't be affected by non executable stack, since that's just changing stack variables, now if your code section is also non-writable, and your heap is non-executable, you're further protected but you can still do a return to libc attack. Wikipedia talks about this <http://en.wikipedia.org/wiki/Stack_buffer_overflow#Nonexecutable_stack> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/2ccc3b7fe7647c824eb6f...@[192.168.1.68]
