主题：一篇讲memory overflow导致被攻击的文章 -- yueyu

Defeating Solar Designer's Non-executable Stack Patch

Summary

Description: A very interesting paper on defeating non-executable stack patches. It goes through the steps needed to exploit the XServer <LONGDISPLAY> hole in Linux even with a non-execute patch.

Author: Rafal Wojtczuk <[email protected]>

Compromise: root (local)

Vulnerable Systems: This just shows (as Solar Designer is well aware) that in some cases the non-executable stack patch can be subverted via sneaky techniques.

Date: 30 January 1998

Notes: Solar Designer's respons is in the addendum.

Details

Date: Fri, 30 Jan 1998 18:09:35 +0100

From: Rafal Wojtczuk <[email protected]>

To: [email protected]

Subject: Defeating Solar Designer non-executable stack patch

-=[ Defeating Solar Designer's Non-executable Stack Patch ]=-

Text and souce code written by Rafal Wojtczuk ( [email protected] )

Section I. Preface

The patch mentioned in the title has been with us for some time. No doubt it

stops attackers from using hackish scripts; it is even included in

just-released Phrack 52 as a mean to harden your Linux kernel. However, it

seems to me there exist at least two generic ways to bypass this patch fairly

easily ( I mean its part that deals with executable stack ). I will explain

the details around section V.

Before continuing, I suggest to refresh in your memory excellent

Designer's article about return-into-libc exploits. You can find it at

http://www.geek-girl.com/bugtraq/1997_3/0281.html

"I recommend that you read the entire message even if you aren't

running Linux since a lot of the things described here are

applicable to other systems as well."

from the afore-mentioned Solar Designer's article