linuxuser wrote:OK, so not to sound like a total n00b, but my 2.6.11.7 kernel has SEGMEXEC also enabled in the .config:
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_DEFAULT_SEGMEXEC=y
So is there anything else that needs to be done to enable this system wide? (ie, does an RBAC ACL need to be created to do this, or will the default disabled gradm ACL's do this?)
it is enabled systemwide but what matters more is whether it's mandatory or not. if you're using the ELF marking only then it's discretionary control and any local user can simply turn it off on his exploit whereas through the ACL system you can enforce it on everything.
But, if I run the exploit itself, it seems to work...
./elfcd1
[+] ./elfcd1 argv_start=0x5f515feb argv_end=0x5f515ff3 ESP: 0x5f515e80
[+] phase 1
[+] AAAA argv_start=0x5f0d2f5a argv_end=0x5f0d2f5e ESP: 0x5f0d2e30
[+] phase 2, <RET> to crash Killed
if the 'exploit' had worked then you wouldn't be copy/pasting this as your box would be hosed for good. as i explained it in the previous comment, under the SEGMEXEC address space layout it's impossible to create a > 2GB environment (or any mapping for that matter) hence the integer overflow cannot occur.