On Tue, Feb 28, 2012 at 7:44 AM, Christian <[email protected]> wrote: > Thank you for your replies. However, we have tried to recompile our > shellcode with the option > > LOCAL_DISABLE_NO_EXECUTE := true > > but the result is always the same: the stack remains non executable > (on Android 4.0.3). > We have also tried with the options > > LOCAL_CFLAGS += -Wa,--execstack > LOCAL_LDFLAGS += -Wl,-z,execstack > > and the behaviour is again the same. > Debugging our shellcode, when the execution should continue from the > shellcode itself, we get the following message (using Keil Development > Studio 5): > > ERROR(CMD440-COR182-TAD23-NAL31): > ! Stepping failed > ! Failed to step instruction at 0xBEEF0404 > ! Unable to step device gdbserver > ! Step timed out > > where 0xBEEF0404 is the start address of our shellcode. > Moreover, we have analysed with "readelf" the elf file produced by the > compilation, and the stack is marked as RW (no execute). > Our complete Android.mk is this: http://pastebin.com/iTFPs3Q2 > We successfully tested our shellcode both on Android 1.5 and Android > 2.2. Try changing the page's protection with mprotect(2). http://linux.die.net/man/2/mprotect.
Jeff > On 27 Feb, 20:05, Nick Kralevich <[email protected]> wrote: >> In the NDK, you should be able to set "DISABLE_NO_EXECUTE" to true to >> disable noexec protections. >> >> Alternately, like Rodrigo implied, you should be able to set the following >> CFLAG: >> >> -Wa,--execstack >> >> and the following LDFLAG >> >> -Wl,-z,execstack >> >> (untested) >> >> -- Nick >> >> On Mon, Feb 27, 2012 at 10:52 AM, Antonio < >> >> >> >> >> >> >> >> >> >> [email protected]> wrote: >> > Hi all! >> >> > We are a couple of Information Technology Engineering students and we >> > are doing a research work, for the IT Security exam, about the >> > possibility to perform buffer overflow attacks on Android devices. >> >> > We know that the actual version supports ASLR, ProPolice and NX. We >> > have already disabled ProPolice (using LOCAL_CFLAGS := -fno-stack- >> > protector in the Makefile); ASLR is not a problem because our simple >> > shellcode doesn't jump to external code pieces: it calls the needed >> > syscalls through their identifiers. The problem is that we aren't able >> > to make the process stack executable! We don't know if and how it is >> > possible. >> >> > In order to test our shellcode, we tried on an old version of Android, >> > the 1.5 (where the stack was executable) and it works fine. >> >> > Our configuration is the following: >> > * Eclipse Java EE IDE for Web Developers versione 3.7.1 Indigo (32 >> > bit) on a Windows 7 box. >> > * Android SDK revision 16. >> > * Android 4.0.3 IceCream Sandwich with API level 15. >> > * Android NDK release 7. >> > * The Android Virtual Device virtualizes a Cortex-A8 based on ARMv7. >> > * For the debugging we are working with the Eclipse plugin: Keil ARM >> > Development Studio 5 Community Edition version 5.8. >> >> > Is there someone who can help us? >> >> > Thank you in advance! >> >> > Antonio and Christian >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "Android Security Discussions" group. >> > To post to this group, send email to >> > [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group at >> >http://groups.google.com/group/android-security-discuss?hl=en. >> >> -- >> Nick Kralevich | Android Security | [email protected] | 650.214.4037 > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
