Home > OS >  how to change stack protection via syscalls without parameters
how to change stack protection via syscalls without parameters

Time:10-23

This is a little bit strange question. I am trying to find a syscall that allowed to execute code on the stack without parameters on i386. I am doing ctf and I success to find a way to call syscall and control eax and have full control on the stack (with argv so just pointer to my strings). now I am jumping to the vdso (thats all the code in the program no dll's or anything else) to run a syscall that will allowed stack execution. but I go on the man page over and over and didn't found something I can use.

$uname -r 4.4.179-0404179-generic

CodePudding user response:

There's no zero-arg Linux system call equivalent to mprotect(stack_base, stack_size, PROT_WRITE|PROT_READ|PROT_EXEC).

Not that I know of, and I wouldn't expect there to be one. Probably the only use case would be to help attackers, which is the opposite of hardening; normally you can make the stack executable via linker options or any specific pages via mprotect with args. There's no need for a shortcut for that.

There's also not one that can set the READ_IMPLIES_EXEC personality for an already-running process, even if you do allow args. (See Using personality syscall to make the stack executable - at best it will have an effect after execve.)

You might be able to use some ROP techniques to get some args set up for mprotect, and then return to the code you injected.

Page link:https//www.codepudding.com/os/585096.html

Prev:Problem with passing a nested structure by reference to a function (Array of structures inside a str
Next:Cant find out how can I compare two manytomany fields and show the result in context
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding