I'm dabbling in Cyber Security, particularly the topic of buffer overflows. To this end, I'm considering an example in which a buffer overflow allows an attacker to execute arbitrary code from within a statically allocated message buffer (i.e. somewhere in the data segment). Regrettably, my efforts fail with segmentation faults, near guaranteed because of missing execution rights on that data segment (my attack does run properly on an executable stack).
I am well aware that there are options to mark a program as requiring an executable stack, which will be heeded by the kernel when loading the binary. Namely, you can create such a binary with
gcc -z execstack <source> -o <binary>In the past, this actually sufficed to also receive an executable heap in Linux, since apparently all readable pages were then treated as executable pages. But with more modern kernels, pretty much only the stack becomes executable with this option.
I'd also like to mention two previous questions from the Stackexchange network relating to this topic:
- First one: Refers to the
mprotectsystemcall which allows manually redefining the traits of pages from within the program. Unfortunately, this approach is not applicable for my purpose, as I don't have any such control over the program and am trying to establish the ability to execute code in the first place. - Second one: Notes that the behavior of execstack on Linux indeed changed some time between kernel versions, so a workaround can be to use an old Linux Kernel (maybe up to 5.4.0) with the
-z execstacklinker option when compiling the binary. Unfortunately, the question itself (what lead to this change) remains unanswered.
So then: Is there any way in modern Linux to run a program without executability protections on the segments, without having to change the program code itself? Failing that, is there a way to at least make the heap / data segment executable? Or can it be constituted that only the stack can be made executable in general?
