I'm reading Hacking: The art of exploitation, which is apparently full of outdated information (doesn't take into account canaries, non executable stack, ASLR). I am trying to understand whether (and how) stack overflow attacks are possible even on modern systems. The best paper I have found so far is Stack smashing on a modern Linux system, which is at least from 2012.
It seems like the real thing that hinders stack overflow attacks from executing arbitrary code is both canaries and Position Independent Executable (to disable which, in gcc, flags -fno-stack-protector
and -fPIE
). PIE makes the stack non-executable, so that even if one managed to overwrite a return address with a stack address, the program would crash because code on the stack would not be allowed to be executed.
Apparently, the Linux terminal command readelf -l <filename>
allows to know whether an executable was compiled with PIE on or not. The GNU_STACK
header is the one we should look at: if it is RWE
then execution is allowed, if the E
is missing, then it isn't. So it's simple to check whether the stack is executable or not. (It's worth pointing out that it't not to easy to check whether the file was compiled with canaries protection on without disassembling or crashing the software)
However, as far as I have understood, the GNU_STACK
header can easily be tweaked to be RWE
through a small tool called execstack. It's as easy as execstack -s <filename>
. It doesn't even require root privileges (as long as the owner of the file isn't root, of course).
Now, my question is: what's the point of PIE, if we can so easily alter its setting? Disabling canaries would require recompiling the whole file, because the canary checks are built into the assembly code, but the GNU_STACK
header seems so fallible... What am I missing?
UPDATE: "If the attacker can modify the header, then that means the attacker has already achieved code injection."
I'm not sure this is true. If the attacker wants to exploit a flaw in an executable, he is likely to need another executable. For example, in the book Hacking: the art of exploitation, the flaw in notesearch
is exploit through notesearch_exploit
. Even if notesearch
has non-executable stack, one could easily make it executable through an apt call to execstack in notesearch_exploit
(given the fact that no root privileges), thus bypassing the PIE limitation. Isn't this correct?