[kernel-tests] 04/73: Add paxtest

This is an automated email from the git hooks/post-receive script. jforbes pushed a commit to branch master in repository kernel-tests. commit 6e3d89c02437a6cc5cef0fdc6bad578e700cf4b8 Author: Dave Jones <davej(a)redhat.com&gt; Date: Tue Jun 12 11:59:51 2012 -0400 Add paxtest --- .gitignore | 1 + default/paxtest/.gitignore | 41 ++++ default/paxtest/COPYING | 340 +++++++++++++++++++++++++++++ default/paxtest/ChangeLog | 1 + default/paxtest/Makefile | 24 ++ default/paxtest/Makefile.OpenBSD | 172 +++++++++++++++ default/paxtest/Makefile.psm | 214 ++++++++++++++++++ default/paxtest/README | 210 ++++++++++++++++++ default/paxtest/anonmap.c | 42 ++++ default/paxtest/body.c | 109 +++++++++ default/paxtest/body.h | 4 + default/paxtest/chpax-0.7/Changelog | 21 ++ default/paxtest/chpax-0.7/Makefile | 33 +++ default/paxtest/chpax-0.7/README | 11 + default/paxtest/chpax-0.7/aout.c | 18 ++ default/paxtest/chpax-0.7/chpax.1 | 80 +++++++ default/paxtest/chpax-0.7/chpax.c | 97 ++++++++ default/paxtest/chpax-0.7/chpax.h | 77 +++++++ default/paxtest/chpax-0.7/elf32.c | 22 ++ default/paxtest/chpax-0.7/elf64.c | 22 ++ default/paxtest/chpax-0.7/flags.c | 147 +++++++++++++ default/paxtest/chpax-0.7/io.c | 118 ++++++++++ default/paxtest/crt1S.S | 57 +++++ default/paxtest/debian/changelog | 75 +++++++ default/paxtest/debian/control | 24 ++ default/paxtest/debian/copyright | 8 + default/paxtest/debian/dirs | 2 + default/paxtest/debian/docs | 5 + default/paxtest/debian/manpage.1.ex | 60 +++++ default/paxtest/debian/manpage.sgml.ex | 152 +++++++++++++ default/paxtest/debian/paxtest.sgml | 167 ++++++++++++++ default/paxtest/debian/rules | 104 +++++++++ default/paxtest/execbss.c | 31 +++ default/paxtest/execdata.c | 31 +++ default/paxtest/execheap.c | 36 +++ default/paxtest/execstack.c | 30 +++ default/paxtest/genpaxtest | 74 +++++++ default/paxtest/getamap.c | 30 +++ default/paxtest/getheap.c | 24 ++ default/paxtest/getmain.c | 19 ++ default/paxtest/getshlib.c | 36 +++ default/paxtest/getstack.c | 18 ++ default/paxtest/interp.c | 5 + default/paxtest/mprotanon.c | 65 ++++++ default/paxtest/mprotbss.c | 39 ++++ default/paxtest/mprotdata.c | 39 ++++ default/paxtest/mprotheap.c | 44 ++++ default/paxtest/mprotshbss.c | 71 ++++++ default/paxtest/mprotshdata.c | 71 ++++++ default/paxtest/mprotstack.c | 35 +++ default/paxtest/randamap.c | 12 + default/paxtest/randbody.c | 63 ++++++ default/paxtest/randheap1.c | 12 + default/paxtest/randheap2.c | 12 + default/paxtest/randmain1.c | 12 + default/paxtest/randmain2.c | 12 + default/paxtest/randshlib.c | 12 + default/paxtest/randstack1.c | 12 + default/paxtest/randstack2.c | 12 + default/paxtest/results/Adamantix.blackhat | 33 +++ default/paxtest/results/Adamantix.kiddie | 33 +++ default/paxtest/results/Gentoo.blackhat | 33 +++ default/paxtest/results/Results.README | 10 + default/paxtest/rettofunc1.c | 31 +++ default/paxtest/rettofunc1x.c | 31 +++ default/paxtest/rettofunc2.c | 25 +++ default/paxtest/rettofunc2x.c | 25 +++ default/paxtest/runtest.sh | 20 ++ default/paxtest/shellcode.h | 37 ++++ default/paxtest/shlibbss.c | 63 ++++++ default/paxtest/shlibdata.c | 63 ++++++ default/paxtest/shlibtest.c | 16 ++ default/paxtest/shlibtest2.c | 17 ++ default/paxtest/targets | 10 + default/paxtest/writetext.c | 56 +++++ 75 files changed, 3818 insertions(+) diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5761abc --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.o diff --git a/default/paxtest/.gitignore b/default/paxtest/.gitignore new file mode 100644 index 0000000..db10415 --- /dev/null +++ b/default/paxtest/.gitignore @@ -0,0 +1,41 @@ +anonmap +chpax +execbss +execdata +execheap +execstack +getamap +getheap1 +getheap2 +getmain1 +getmain2 +getshlib +getstack1 +getstack2 +mprotanon +mprotbss +mprotdata +mprotheap +mprotshbss +mprotshdata +mprotstack +paxbin +paxtest +paxtest.log +randamap +randheap1 +randheap2 +randmain1 +randmain2 +randshlib +randstack1 +randstack2 +rettofunc1 +rettofunc1x +rettofunc2 +rettofunc2x +shlibbss +shlibdata +shlibtest.so +shlibtest2.so +writetext diff --git a/default/paxtest/COPYING b/default/paxtest/COPYING new file mode 100644 index 0000000..60549be --- /dev/null +++ b/default/paxtest/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) 19yy <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/default/paxtest/ChangeLog b/default/paxtest/ChangeLog new file mode 120000 index 0000000..d526672 --- /dev/null +++ b/default/paxtest/ChangeLog @@ -0,0 +1 @@ +debian/changelog \ No newline at end of file diff --git a/default/paxtest/Makefile b/default/paxtest/Makefile new file mode 100644 index 0000000..e38ae7e --- /dev/null +++ b/default/paxtest/Makefile @@ -0,0 +1,24 @@ +#!/usr/bin/make +# +# PaXtest master makefile +# Copyright(c) 2003 by Peter Busser <peter(a)adamantix.org&gt; +# This file has been released under the GNU Public Licence version 2 or later + +all: + @cat targets + +linux: + make -f Makefile.psm + +linux32: + make -f Makefile.psm THEARCH=-m32 + +linux64: + make -f Makefile.psm THEARCH=-m64 + +openbsd: + gmake -f Makefile.OpenBSD + +clean: + make -f Makefile.psm clean + diff --git a/default/paxtest/Makefile.OpenBSD b/default/paxtest/Makefile.OpenBSD new file mode 100644 index 0000000..b155313 --- /dev/null +++ b/default/paxtest/Makefile.OpenBSD @@ -0,0 +1,172 @@ +#!/usr/bin/gmake + +CC=gcc +CFLAGS= +LDFLAGS= +ifndef RUNDIR +RUNDIR=. +endif + +CFLAGS+=-DRUNDIR=\"${RUNDIR}\" -fno-stack-protector -ftrampolines +LDFLAGS+=-lpthread + + +TESTS= anonmap \ + execbss \ + execdata \ + execheap \ + execstack \ + mprotanon \ + mprotbss \ + mprotdata \ + mprotheap \ + mprotshbss \ + mprotshdata \ + mprotstack \ + randamap \ + randheap1 \ + randmain1 \ + randshlib \ + randstack1 \ + randstack2 \ + rettofunc1 \ + rettofunc1x \ + rettofunc2 \ + rettofunc2x \ + shlibbss \ + shlibdata \ + writetext + +UTILS= getamap \ + getheap1 \ + getheap2 \ + getmain1 \ + getmain2 \ + getshlib \ + getstack1 \ + getstack2 + +SHLIBS= shlibtest.so \ + shlibtest2.so + +all: $(SHLIBS) $(TESTS) $(UTILS) paxtest + +clean: + -rm -f *.o *.s *~ core + -rm -f $(SHLIBS) $(TESTS) $(UTILS) + -rm -f paxtest paxtest.log a.out + +ifdef DESTDIR +ifdef BINDIR +ifdef RUNDIR +install: all + mkdir -p $(DESTDIR)/$(RUNDIR) + cp $(SHLIBS) $(TESTS) $(UTILS) $(DESTDIR)/$(RUNDIR) + mkdir -p $(DESTDIR)/$(BINDIR) + cp paxtest $(DESTDIR)/$(BINDIR) + chmod 755 $(DESTDIR)/$(BINDIR)/paxtest +endif +endif +endif + +paxtest: $(TESTS) genpaxtest + sh genpaxtest $(TESTS) + +anonmap: body.o anonmap.o + +execbss: body.o execbss.o + +execdata: body.o execdata.o + +execheap: body.o execheap.o + +execstack: body.o execstack.o + +getheap1: getheap.o + $(CC) $(LDFLAGS) -o $@ $+ + +getheap2: getheap.o + $(CC) -shared -o $@ $+ + +getheap.o: getheap.c + $(CC) $(CFLAGS) -fPIC -o $@ -c $< + +getamap.o: getamap.c + +getmain1: getmain.o + $(CC) $(LDFLAGS) -o $@ $+ + +getmain2: getmain2.o + $(CC) -shared -o $@ $+ + +getmain2.o: getmain.c + $(CC) $(CFLAGS) -fPIC -o $@ -c $< + +getshlib: getshlib.o + +getstack1: getstack.o + $(CC) $(LDFLAGS) -o $@ $+ + +getstack2: getstack1 + rm -f $@ + cp getstack1 $@ + chmod +x $@ + +mprotanon: body.o mprotanon.o + +mprotbss: body.o mprotbss.o + +mprotheap: body.o mprotheap.o + +mprotdata: body.o mprotdata.o + +mprotshbss: body.o mprotshbss.o shlibtest.so + +mprotshdata: body.o mprotshdata.o shlibtest.so + +mprotstack: body.o mprotstack.o + +randamap: randbody.o randamap.o + +randheap1: randbody.o randheap1.o + +randheap2: randbody.o randheap2.o + +randmain1: randbody.o randmain1.o + +randmain2: randbody.o randmain2.o + +randshlib: randbody.o randshlib.o + +randstack1: randbody.o randstack1.o + +randstack2: randbody.o randstack2.o + +rettofunc1: body.o rettofunc1.o + +rettofunc1x: body.o rettofunc1x.o + $(CC) $(LDFLAGS) -o $@ $+ + +rettofunc2: body.o rettofunc2.o + +rettofunc2x: body.o rettofunc2x.o + $(CC) $(LDFLAGS) -o $@ $+ + +shlibtest.o: shlibtest.c + $(CC) $(CFLAGS) -fPIC -c $< -o $@ + +shlibtest2.o: shlibtest2.c + $(CC) $(CFLAGS) -fPIC -c $< -o $@ + +shlibtest.so: shlibtest.o + $(CC) $(SHLDFLAGS) -shared -o $@ $+ + +shlibtest2.so: shlibtest2.o + $(CC) $(SHLDFLAGS) -shared -o $@ $+ + +shlibbss: body.o shlibbss.o shlibtest.so shlibtest2.so + +shlibdata: body.o shlibdata.o shlibtest.so shlibtest2.so + +writetext: body.o writetext.o shlibtest.so + diff --git a/default/paxtest/Makefile.psm b/default/paxtest/Makefile.psm new file mode 100644 index 0000000..68b960f --- /dev/null +++ b/default/paxtest/Makefile.psm @@ -0,0 +1,214 @@ +#!/usr/bin/make + +# tested with make-3.79.1/gcc-2.96 (shared) and make-3.80/gcc-3.3.2/3 (pie) +# make-3.79.1 does not support $$@ as target requirement (works for make-3.80) + +# preliminaries: +# Gentoo modifies the specs adding pie/nopie to enable/disable ET_DYN binaries + +CC := gcc +LD := ld +CC_PIC := -fPIC + +check_gcc = $(shell if $(CC) $(1) -S -o /dev/null -xc /dev/null > /dev/null 2>&1; \ + then echo "$(1)"; else echo "$(2)"; fi) + +check_as = $(shell if $(CC) -Wa,$(1) -Wa,-Z -c -o /dev/null -xassembler /dev/null > /dev/null 2>&1; \ + then echo "-Wa,$(1)"; fi) + +# stack protector has to be disabled for some tests +CC_SSP := $(call check_gcc,-fno-stack-protector,) +CC_SSP += $(call check_gcc,-fno-stack-protector-all,) + +ASFLAGS := $(call check_as,--noexecstack) + +CC_PIE := $(call check_gcc,-fPIE,-fPIC) + +CC_TRAMPOLINES := $(call check_gcc,-ftrampolines,) + +CC_MSECURE_PLT := $(call check_gcc,-msecure-plt,) + +LD_PIE = $(shell $(LD) --help | grep -q pie && echo "-pie") +ifneq ($(LD_PIE),) +# Gentoo (hardened specs enabled) +CC_ETEXEC = $(shell $(CC) -dumpspecs | grep -q "\!nopie" && echo "-nopie") +LD_ETEXEC = $(CC_ETEXEC) +endif + +ifeq ($(LD_PIE),) +LD_PIE = -shared +endif + +# check for installed binaries +CHPAXBIN := $(shell if which chpax >/dev/null 2>&1 ; then echo chpax; fi) +PAXCTLBIN := $(shell if which paxctl >/dev/null 2>&1 ; then echo paxctl; fi) +# should somehow use this to see if we really need paxctl +# list=`paxctl -qQv /sbin/paxctl 2>/dev/null`; if echo $list | grep -q "PaX flags" ; then echo paxctl; fi +# instead we use both markings to have paxtest running correctly on all platforms + +ifneq ($(PAXCTLBIN),) +DUMMY := $(shell echo '${PAXCTLBIN} $$*' > paxbin) +endif + +# for some reason the .c files need it, else GNU_STACK=RWE +OPT_FLAGS := -O2 $(ASFLAGS) +PTHREAD := -lpthread +# define stripping of binaries/libs here, or set these on make's commandline, +# else you'll loose the chpax flags! +LDFLAGS := +SHLDFLAGS := +ifndef RUNDIR +RUNDIR := . +endif + +# The Hardened GCC compiler has stack protector on by default, this +# could interfere with the results of this test. + +CFLAGS := $(OPT_FLAGS) -D_FORTIFY_SOURCE=0 -DRUNDIR=\"${RUNDIR}\" $(CC_SSP) $(CC_TRAMPOLINES) + +ifneq ($(THEARCH),) +CFLAGS += $(THEARCH) +LDFLAGS += $(THEARCH) +SHLDFLAGS += $(THEARCH) +endif + +EXEC_TESTS = anonmap execbss execdata execheap execstack +MPROT_TESTS = mprotanon mprotbss mprotdata mprotheap mprotstack +SHLIB_TESTS = shlibbss shlibdata +MPROTSH_TESTS = mprotshbss mprotshdata writetext +RAND_TESTS = randamap randheap1 randheap2 randmain1 randmain2 randshlib randstack1 randstack2 +RET_TESTS = rettofunc1 rettofunc2 +RETX_TESTS = rettofunc1x rettofunc2x + +TESTS = $(EXEC_TESTS) $(SHLIB_TESTS) $(MPROT_TESTS) $(MPROTSH_TESTS) $(RAND_TESTS) $(RET_TESTS) $(RETX_TESTS) + +UTILS= getamap getheap1 getheap2 getmain1 getmain2 getshlib getstack1 getstack2 + +SHLIBS= shlibtest.so shlibtest2.so + +ifeq ($(CHPAXBIN),) +CHPAXVER := 0.7 +CHPAX := chpax-$(CHPAXVER) +CHPAXSRC := $(CHPAX)/aout.c $(CHPAX)/chpax.c $(CHPAX)/elf32.c $(CHPAX)/elf64.c $(CHPAX)/flags.c $(CHPAX)/io.c +CHPAXBIN := ./chpax +all: chpax $(SHLIBS) $(TESTS) $(UTILS) paxtest +else +all: $(SHLIBS) $(TESTS) $(UTILS) paxtest +endif + +# we need the failure handling, for kernels not supporting EI_PAX +DUMMY := $(shell echo '${CHPAXBIN} $$* >/dev/null 2>/dev/null ||:' >> paxbin; chmod +x paxbin) + +PAXBIN := ./paxbin +DL := -ldl + +clean: + -rm -f *.o *.s *~ core + -rm -f $(TESTS) $(UTILS) $(SHLIBS) + -rm -f paxtest paxtest.log a.out dumpspecs paxbin + -rm -f chpax-0.7/*.o + -rm -f chpax + +ifdef DESTDIR +ifdef BINDIR +ifdef RUNDIR +install: all + mkdir -p $(DESTDIR)/$(RUNDIR) + cp $(SHLIBS) $(TESTS) $(UTILS) $(DESTDIR)/$(RUNDIR) + mkdir -p $(DESTDIR)/$(BINDIR) + cp paxtest $(DESTDIR)/$(BINDIR) + chmod 755 $(DESTDIR)/$(BINDIR)/paxtest +endif +endif +endif + +chpax: $(CHPAXSRC:.c=.o) + $(CC) $(LDFLAGS) -o $@ $^ + +paxtest: $(TESTS) genpaxtest + sh genpaxtest $(TESTS) + +.S.o: + $(CC) $(CFLAGS) $(CC_PIE) $(ASFLAGS) -o $@ -c $< +.c.o: + $(CC) $(CFLAGS) -o $@ -c $< + +$(EXEC_TESTS) $(MPROT_TESTS): body.o + $(CC) $(CFLAGS) -o $@.o -c $@.c + $(CC) $(LDFLAGS) $(PTHREAD) -o $@ $< $@.o + +$(RAND_TESTS): randbody.o + $(CC) $(CFLAGS) -o $@.o -c $@.c + $(CC) $(LDFLAGS) -o $@ $< $@.o + +getamap: getamap.o + $(CC) $(LDFLAGS) -o $@ $@.o + +# get heap1/main1 are built w/o PIC +get%1.o: get%.c + $(CC) $(CFLAGS) $(CC_ETEXEC) -o $@ -c $< + +# get heap2/main2 are built w/ PIC +get%2.o: get%.c + $(CC) $(CFLAGS) $(CC_PIE) -o $@ -c $< + +# Adamantix uses the PIC version (getheap2.o), not necessary for ET_EXEC +# build as ET_EXEC (not in Adamantix's Makefile) +getheap1: getheap1.o + $(CC) $(LDFLAGS) $(LD_ETEXEC) -o $@ $< + +getmain1: getmain1.o + $(CC) $(LDFLAGS) $(LD_ETEXEC) -o $@ $< + -$(PAXBIN) -C $@ + $(PAXBIN) -SPRXM $@ + +getheap2 getmain2: getheap2.o getmain2.o + $(CC) $(LDFLAGS) $(LD_PIE) -o $@ $@.o || (echo -e "#!/bin/sh\necho $@ pie not implemented" > $@; chmod +x $@) + +getshlib: getshlib.o + $(CC) $(LDFLAGS) -o $@ $< $(DL) + +# ET_EXEC and usage of "m" is not confirmed (as in Gentoo patch) +# Adamantix does not use it +# Pax Team does not want "m" for getstack1/2 +getstack1: getstack.o + $(CC) $(LDFLAGS) -o $@ $< + -$(PAXBIN) -C $@ + $(PAXBIN) -SRpm $@ + +getstack2: getstack.o + $(CC) $(LDFLAGS) -o $@ $< + # disable segmexec, kernel else overrides pageexec + -$(PAXBIN) -C $@ + $(PAXBIN) -PRsm $@ + +$(MPROTSH_TESTS): body.o shlibtest.so + $(CC) $(CFLAGS) -o $@.o -c $@.c + $(CC) $(LDFLAGS) $(DL) $(PTHREAD) -o $@ $@.o $^ + +# used for RANDEXEC'd binaries +retbody.o: body.c + $(CC) $(CFLAGS) $(CC_ETEXEC) -o $@ -c $< + +# build as ET_EXEC (recommended by PaX Team, not really a requirement) +$(RET_TESTS): retbody.o + $(CC) $(CFLAGS) $(CC_ETEXEC) -o $@.o -c $@.c + $(CC) $(LDFLAGS) $(LD_ETEXEC) $(PTHREAD) -o $@ $< $@.o + +# build as ET_EXEC (not in Adamantix's Makefile) +$(RETX_TESTS): retbody.o + $(CC) $(CFLAGS) $(CC_ETEXEC) -o $@.o -c $@.c + $(CC) $(LDFLAGS) $(LD_ETEXEC) $(PTHREAD) -o $@ $< $@.o + -$(PAXBIN) -C $@ + $(PAXBIN) -SPXM $@ + +# should also shlibbss.o and shlibdata.o be built w/ PIC? +# if yes, remove tes from target and dependency +shlibtes%.o: shlibtes%.c + $(CC) $(CFLAGS) $(CC_PIC) -o $@ -c $< + +shlib%.so: shlib%.o + $(CC) $(SHLDFLAGS) -shared -o $@ $< + +$(SHLIB_TESTS): body.o $(SHLIBS) shlibbss.o shlibdata.o + $(CC) $(LDFLAGS) $(PTHREAD) -o $@ body.o $@.o $(SHLIBS) $(DL) diff --git a/default/paxtest/README b/default/paxtest/README new file mode 100644 index 0000000..15ab406 --- /dev/null +++ b/default/paxtest/README @@ -0,0 +1,210 @@ +Paxtest v0.9.9 README file + +Copyright (c)2004 by Peter Busser <peter(a)adamantix.org&gt; + +Additional architecture/target support & fixes +by Brad Spengler <spender(a)grsecurity.net&gt; + +This file has been released under the GNU GPL version 2 or later. + + +History: +------- +When I started the Adamantix project, one of the first things I did was to add +PaX functionality to the kernel. PaX is a process memory protection patch. +Anything that happens outside the kernel on a UNIX system happens inside a +process. There are many attacks on the Internet that try to corrupt the process +memory, in order to make it do something for which it was not intended. One +example of such an attack is the so called buffer overflow attack. This kind of +attack is one of the most popular at this moment. + +PaX protects against such attacks. Or so the author claims. When I started to +add PaX to Adamantix, almost nothing happened. A few libraries broke, but that +was easy to fix, and that was it. I expected many programs to break. So I +started to wonder: ``Does this patch really do anything?'' Instead of +speculating, I decided to write a test suite. After some time, the first +version of paxtest was ready. More functionality was added. With the addition +of every test, it proved that PaX was working just fine. I decided to publish +paxtest, because it can be useful for other people to test the functionality +of the memory protection of their system(s). + + +Compiling paxtest: +----------------- +Compiling paxtest should be quite straightforward. First unpack paxtest. Then +cd into the directory. And then run one of the following: + +make linux (to create Linux binaries) +make openbsd (to create OpenBSD binaries) + +(Type make to get the above list.) + + +Running paxtest: +--------------- +In order to run paxtest, type the following: + +./paxtest kiddie (to run paxtest in script kiddie mode) + +or + +./paxtest blackhat (to run paxtest in blackhat mode) + +This will create a file paxtest.log in the current directory. + + +Kiddie and blackhat mode: +------------------------ +Paxtest provides two modes. The first mode is the so called kiddie mode, which +makes paxtest behave rather nicely. This simulates the level of sophistication +displayed by script kiddies. Good results in this mode do not necessarily mean +that the security level of your system is high. + +The second mode, the blackhat mode, makes paxtest use of a few tricks to try +to get around the protection of the kernel. The attacks done by paxtest in this +mode can be performed in real life by attackers too. But the level of +sophistication is somewhat higher than those of the kiddie mode and the chance +of success is somewhat lower. But there is still a realistic chance of success. + +People who are concerned about the security of their systems should look at +the blackhat mode results. + + +The tests: +--------- +There are two types of tests in paxtest. First there are tests which try +different ways to write and then run exploit code. The more different exploits +are stopped, the better the protection provided by the system. Note that the +tests simulate what an exploit could (and would) do, not what an application +does normally. This is especially important in the mprotect tests because +some people claim that normal applicatons do not do this - indeed, but that +is not what these tests are about, they simulate exploits, not applications. + +Second, there is a number of tests that measure the randomisation of the +system. Randomisation does not provide any security, but only makes it harder +for the attacker to guess where to attack (it is in fact security through +obscurity). It is like rearranging the furniture in a pitch dark room every +time someone enters. The more random the furniture is placed, the more likely +it is that someone stumbles over it. The same applies to randomisation in this +context, randomisation makes it more likely that an attack does not succeed. +In short: More random bits is better. Zero bits means: No randomisation. + + +Executable anonymous mapping +Executable bss +Executable data +Executable heap +Executable stack + + These tests try to write data to memory and then try to execute it as + if it was executable code. This is exactly what most buffer exploits + do. There are five tests, each test tests one specific memory area. + +Executable anonymous mapping (mprotect) +Executable bss (mprotect) +Executable data (mprotect) +Executable heap (mprotect) +Executable stack (mprotect) + + These tests do the same as the previous tests. But now the test also + tries to disable the memory protection in the kernel using mprotect(). + It changes the protection status of memory. An attacker can use it to + try to switch off memory protection and execute shellcode as usual. + +Executable shared library bss (mprotect) +Executable shared library data (mprotect) + + These tests try to overwrite two different data areas in a shared + library. After that, it tries to execute the data as if it was code. + Again, these tests try to switch off the memory protection using + mprotect(). + +Anonymous mapping randomisation test + + Anonymous mappings are used for dynamically allocating memory in a + program. This test tries to figure out the number of random bits used + when such an anonymous mapping is requested. More bits is better. + +Heap randomisation test (ET_EXEC) +Heap randomisation test (ET_DYN) + + The heap is used for allocating small chunks of memory in a program. + There there are two different types of executables, ET_EXEC (normal + executables) and ET_DYN (basically executable shared libraries). The + randomisation can depend on the kind of executable, therefore there + are two tests. + + Most Linux distributions ship with ET_EXEC executables only. So for + those the ET_EXEC randomisation is the most relevant. Adamantix ships + with mostly ET_DYN executables, so the ET_EXEC randomisation is not + very relevant, but the ET_DYN randomisation is. + + Normally ET_DYN randomisation is bigger than the ET_EXEC randomisation. + +Main executable randomisation (ET_EXEC) +Main executable randomisation (ET_DYN) + + Same here, two tests, because the two different types of executables + can have different randomisation. + +Shared library randomisation test + + Shared libraries can be located at random addresses too, which is what + this test tries to find out. + +Stack randomisation test (SEGMEXEC) +Stack randomisation test (PAGEEXEC) + + The stack is used for storing intermediate data. It also contains + addresses that influence the way programs run. That combination makes + the stack a popular memory area for attacks. Randomisation makes it + harder though, which is what these test try to find out. + +Return to function (strcpy) +Return to function (strcpy, RANDEXEC) +Return to function (memcpy) +Return to function (memcpy, RANDEXEC) + + Return to function attacks are very nasty. These tests are hard to + stop by kernel patches, but they show that there you should not expect + perfect protection from this kind of security patches. + +Executable shared library bss +Executable shared library data + + These tests try to overwrite two different data areas in a shared + library. After that, it tries to execute the data as if it was code. + +Writable text segments + + When an attacker can overwrite code, he can basically alter the + program while it runs. This test tries to do that. + + +Perfect protection: +------------------ +Perfect protection is not possible. That is also the reason why there are +so called return to function tests in paxtest. PaX does not prevent return to +function attacks. Neither do any of the other memory protection patches. But it +is important that people who use kernel patches like PaX do not get a false +sense of security. As the PaX documentation points out: There are three +different classes of attacks, and at this moment PaX can only guarantee +protection against one of them. + + +Further reading: +--------------- +PaX home page: +http://pax.grsecurity.net/ + +PaX mailing list: +http://lists.adamantix.org/ + +PaX documentation (also a thorough introduction into memory protection): +http://pax.grsecurity.net/docs/ + +An article I wrote about PaX has been published in Linux Magazine. The whole +article is available on-line as PDF. It is not very technical, but describes +what memory protection is and why it is important. It can be found here: +http://www.linux-magazine.com/issue/40 + diff --git a/default/paxtest/anonmap.c b/default/paxtest/anonmap.c new file mode 100644 index 0000000..626e5eb --- /dev/null +++ b/default/paxtest/anonmap.c @@ -0,0 +1,42 @@ +/* anonmap.c - Tests whether code can be executed in anonymous mappings + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/mman.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable anonymous mapping "; + +#ifndef MAP_ANONYMOUS +#define MAP_ANONYMOUS MAP_ANON +#endif + +void doit( void ) +{ + char *buf; + fptr func; + + buf = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + if( buf == MAP_FAILED ) { + fprintf( stderr, "mmap() returned NULL\n" ); + exit( 1 ); + } + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)buf; + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/body.c b/default/paxtest/body.c new file mode 100644 index 0000000..a85046b --- /dev/null +++ b/default/paxtest/body.c @@ -0,0 +1,109 @@ +/* body.c - This part is shared by the test programs (except for the randomisation + * tests) + * + * Copyright (c)2003,2004 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <stdlib.h> +#include <sys/mman.h> +#include <unistd.h> +#include <errno.h> +#include <limits.h> +#include <signal.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <pthread.h> +#include <unistd.h> + +extern int doit( void ); +extern const char testname[]; + +static void *test_thread(void *p) +{ + pause(); + return NULL; +} + +int main( int argc, char *argv[] ) +{ + int status; + char *mode; + /* This defaults to 1 as a safety mechanism. It is better to fail in + * blackhat mode, because kiddie mode can produce overly optimistic + * results. + */ + int paxtest_mode = 1; + + /* Dummy nested function */ + void dummy(void) {} + + mode = getenv( "PAXTEST_MODE" ); + if( mode == NULL ) { + paxtest_mode = 1; + } else { + if( strcmp(mode,"0") == 0 ) { + paxtest_mode = 0; + } else if( strcmp(mode,"1") == 0 ) { + paxtest_mode = 1; + } + } + + printf( "%s: ", testname ); + fflush( stdout ); + + if( fork() == 0 ) { + /* Perform a dirty (but not unrealistic) trick to circumvent + * the kernel protection. + */ + if( paxtest_mode == 1 ) { + pthread_t thread; + pthread_create(&thread, NULL, test_thread, dummy); + doit(); + pthread_kill(thread, SIGTERM); + } else { + doit(); + } + } else { + wait( &status ); + if( WIFEXITED(status) == 0 ) { + printf( "Killed\n" ); + exit( 0 ); + } + } + + exit( 0 ); +} + +void itworked( void ) +{ + printf( "Vulnerable\n" ); + exit( 1 ); +} + +void itfailed( void ) +{ + printf( "Ok\n" ); + exit( 2 ); +} + + +int do_mprotect( const void *addr, size_t len, int prot ) +{ + void *ptr; + int retval; + long PAGESIZE = sysconf(_SC_PAGESIZE); + + /* Allign to a multiple of PAGESIZE, assumed to be a power of two */ + ptr = (char *)(((unsigned long) addr) & ~(PAGESIZE-1)); + + retval = mprotect( ptr, len, prot ); + if( retval != 0 && errno == EINVAL ) { + perror( "could not mprotect():" ); + exit( 1 ); + } + + return retval; +} + diff --git a/default/paxtest/body.h b/default/paxtest/body.h new file mode 100644 index 0000000..36ed9d2 --- /dev/null +++ b/default/paxtest/body.h @@ -0,0 +1,4 @@ +void itworked( void ); +void itfailed( void ); +int do_mprotect( const void *addr, size_t len, int prot ); +typedef void (*fptr)(void); diff --git a/default/paxtest/chpax-0.7/Changelog b/default/paxtest/chpax-0.7/Changelog new file mode 100644 index 0000000..4524616 --- /dev/null +++ b/default/paxtest/chpax-0.7/Changelog @@ -0,0 +1,21 @@ + * + * Nov 2002 : Added multi{options,files} cmdline, zeroflag, nicer output + * (+ double output if flags are changed and -v is specified), more error + * handling, more explicit error messages and return values + * + * Jan 2003 : Packaging, Port to Sparc/ELF64 : flags now stand in e_ident[EI_PAX] and + * e_ident[EI_PAX + 1], old chpax version is needed for clearing old flags . + * + * Feb 2003: Added alpha support. + * + * Mar 2003: Added parisc support. + * + * Apr 2003: Added ppc support. + * + * Oct 2003: Added amd64, ia64 and make install support, short format flags printout. + * + * Dec 2003: Added mips and mips64 support. + * + * Feb 2004: Added PT_PAX_FLAGS support. + * + * Jun 2004: Fixed elf.h include, uses glibc's version now, added ppc64 support. diff --git a/default/paxtest/chpax-0.7/Makefile b/default/paxtest/chpax-0.7/Makefile new file mode 100644 index 0000000..4b907b1 --- /dev/null +++ b/default/paxtest/chpax-0.7/Makefile @@ -0,0 +1,33 @@ +## +## Makefile for chpax.c +## +## The PaX project : http://pax.grsecurity.net/ +## + +SRC = chpax.c io.c elf32.c elf64.c aout.c flags.c +OBJ = $(SRC:.c=.o) +RM = rm -f +TARGET = chpax +CC = gcc +CFLAGS = -Wall -W -g3 +STRIP = strip +#STRIP = touch +CP = cp +DESTDIR = +MANDIR = /usr/share/man/man1/ +MKDIR = mkdir -p + +all : $(OBJ) + $(CC) $(CFLAGS) $(OBJ) -o $(TARGET) + +install : all + $(STRIP) $(TARGET) + $(MKDIR) $(DESTDIR)/sbin/ $(DESTDIR)$(MANDIR) + $(CP) $(TARGET) $(DESTDIR)/sbin/ + $(CP) $(TARGET).1 $(DESTDIR)$(MANDIR) + +clean : + $(RM) *.o *~ \#* *\# + +fclean : clean + $(RM) $(TARGET) diff --git a/default/paxtest/chpax-0.7/README b/default/paxtest/chpax-0.7/README new file mode 100644 index 0000000..5c3c7cd --- /dev/null +++ b/default/paxtest/chpax-0.7/README @@ -0,0 +1,11 @@ + + ----------------- + CHPAX README FILE + ----------------- + +As you can see, chpax has been partially rewritten . Since ELF64 is now +supported (so that we match the Linux-PAX/sparc64 needs), we had to start +a modularization of the code . + +For all the technical details about the improvements, check the +Changelog file . diff --git a/default/paxtest/chpax-0.7/aout.c b/default/paxtest/chpax-0.7/aout.c new file mode 100644 index 0000000..26ba7b5 --- /dev/null +++ b/default/paxtest/chpax-0.7/aout.c @@ -0,0 +1,18 @@ +/* +** aout.c for chpax +** +** The PaX project : http://pax.grsecurity.net/ +** +*/ +#include "chpax.h" + + +unsigned long get_flags_aout() +{ + return (N_FLAGS(header_aout)); +} + +void put_flags_aout(unsigned long flags) +{ + N_SET_FLAGS(header_aout, flags & ~HF_PAX_RANDMMAP); +} diff --git a/default/paxtest/chpax-0.7/chpax.1 b/default/paxtest/chpax-0.7/chpax.1 new file mode 100644 index 0000000..5d6e144 --- /dev/null +++ b/default/paxtest/chpax-0.7/chpax.1 @@ -0,0 +1,80 @@ +.\" -*- nroff -*- +.\" +.\" chpax.1 +.\" +.\" This program was written by +.\" The PaX Team <pageexec(a)freemail.hu&gt; +.\" +.\" This manpage was created by: +.\" Martin Krafft <madduck(a)debian.org&lt; +.\" +.\" The license of this manpage is "Do what you want, but do it right!" +.\" +.TH chpax 1 .\" "chpax Manual" "Feb 12, 2003" +.SH NAME +\fB chpax \fR - user-space utility to control PaX flags +.SH SYNTAX +\fB chpax \fR [-PpEeMmRrXxSsvz] <FILE1> [<FILE2> ...] +.SH DESCRIPTION +\fBchpax\fR is a tool that allows PaX flags to be modified +on a per-binary basis. PaX is part of common security-enhancing +kernel patches, like GrSecurity. Your system needs to be +running an appropriately patched kernel for this program to +have any effect. +.TP +\fB-P\fR +enforce paging based non-executable pages +.TP +\fB-p\fR +do not enforce paging based non-executable pages +.TP +\fB-E\fR +emulate trampolines +.TP +\fB-e\fR +do not emulate trampolines +.TP +\fB-M\fR +restrict mprotect() +.TP +\fB-m\fR +do not restrict mprotect() +.TP +\fB-R\fR +randomize mmap() base +.TP +\fB-r\fR +do not randomize mmap() base +.TP +\fB-X\fR +randomize ET_EXEC base +.TP +\fB-x\fR +do not randomize ET_EXEC base +.TP +\fB-S\fR +enforce segmentation based non-executable pages +.TP +\fB-s\fR +do not enforce segmentation based non-executable pages +.TP +\fB-v\fR +view current flag mask +.TP +\fB-z\fR +zero flag mask (next flags still apply) +.SH CAVEATS +\fBchpax\fR does not currently parse standard command line arguments. Only the +first argument is parsed, and it must contain all of the above flags you +wish to use. So, instead of, e.g., "-v -p -r" you have to use "-vpr". +.SH AUTHOR +Written by The PaX Team <pageexec(a)freemail.hu&gt; +.PP +This manpage was written by Martin F. Krafft <madduck(a)debian.org&gt; +for the Debian GNU/Linux Distribution, but may be used by others. +.SH "SEE ALSO" +.BR gradm (1) +.PP +The PaX website: http://pax.grsecurity.net +.PP +The GrSecurity website: http://www.grsecurity.net diff --git a/default/paxtest/chpax-0.7/chpax.c b/default/paxtest/chpax-0.7/chpax.c new file mode 100644 index 0000000..42ba7b4 --- /dev/null +++ b/default/paxtest/chpax-0.7/chpax.c @@ -0,0 +1,97 @@ +/* + * chpax version 0.7 + * + * This program manages various PaX related flags for ELF32, ELF64, + * and a.out binaries. The flags only have effect when running the + * patched Linux kernel. + * + * Written by Solar Designer and placed in the public domain. + * + * Adapted to PaX by the PaX Team + * + * Maintained by [jv(a)grsecurity.net] + * + */ +#include "chpax.h" + +Elf32_Ehdr header_elf; +Elf64_Ehdr header_elf64; +struct exec header_aout; +int header_size; +void *header; +int fd; +unsigned long (*get_flags)(); +void (*put_flags)(unsigned long); + + +int main(int argc, char *argv[]) +{ + unsigned long flags; + unsigned long aflags; + unsigned int index = 2; + int mode; + char *current; + int error = 0; + int view = 0; + + if (!argv) + usage(NULL); + if (argc < 3 || !argv[1] || argv[1][0] != '-') + usage(argv[0]); + + flags = scan_flags(0, argv, &view); + mode = view & !flags ? O_RDONLY : O_RDWR; + + for (current = argv[index]; current; current = argv[++index]) + { + + error = read_header(current, mode); + switch (error) + { + case 1: + perror(current); + continue ; + case 2: + fprintf(stderr, "%s: Unknown file type (passed) \n", current); + XCLOSE(fd); + continue ; + case 3: + fprintf(stderr, "%s: Wrong architecture (passed) \n", current); + XCLOSE(fd); + continue ; + } + + aflags = get_flags(); + flags = scan_flags(aflags, argv, &view); + + if (view) + { + printf("\n----[ chpax %s : Current flags for %s (%s) ]---- \n\n", + CHPAX_VERSION, current, pax_short_flags(aflags)); + print_flags(aflags); + puts(""); + } + + put_flags(flags); + + if (flags != aflags && write_header()) + { + perror(current); + error = 4; + } + + if (error) + fprintf(stderr, "%s : Flags were not updated . \n", current); + else if (view && aflags != flags) + { + printf("\n----[ chpax %s : Updated flags for %s (%s) ]---- \n\n", + CHPAX_VERSION, current, pax_short_flags(flags)); + print_flags(flags); + puts(""); + } + + XCLOSE(fd); + } + + return (error); +} diff --git a/default/paxtest/chpax-0.7/chpax.h b/default/paxtest/chpax-0.7/chpax.h new file mode 100644 index 0000000..5b03a08 --- /dev/null +++ b/default/paxtest/chpax-0.7/chpax.h @@ -0,0 +1,77 @@ +/* + * Include file for chpax.c + * + * The PaX project : http://pax.grsecurity.net/ + * + */ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <fcntl.h> +#include <unistd.h> +#include <elf.h> +#include <a.out.h> + +#define CHPAX_VERSION "0.7" + +#define HF_PAX_PAGEEXEC 1 /* 0: Paging based non-exec pages */ +#define HF_PAX_EMUTRAMP 2 /* 0: Emulate trampolines */ +#define HF_PAX_MPROTECT 4 /* 0: Restrict mprotect() */ +#define HF_PAX_RANDMMAP 8 /* 0: Randomize mmap() base */ +#define HF_PAX_RANDEXEC 16 /* 1: Randomize ET_EXEC base */ +#define HF_PAX_SEGMEXEC 32 /* 0: Segmentation based non-exec pages */ + +#define EI_PAX 14 /* Index to read the PaX flags into ELF header e_ident[] array */ + +#ifndef PT_PAX_FLAGS +#define PT_PAX_FLAGS 0x65041580 /* Indicates PaX flag markings */ +#define PF_PAGEEXEC (1 << 4) /* Enable PAGEEXEC */ +#define PF_NOPAGEEXEC (1 << 5) /* Disable PAGEEXEC */ +#define PF_SEGMEXEC (1 << 6) /* Enable SEGMEXEC */ +#define PF_NOSEGMEXEC (1 << 7) /* Disable SEGMEXEC */ +#define PF_MPROTECT (1 << 8) /* Enable MPROTECT */ +#define PF_NOMPROTECT (1 << 9) /* Disable MPROTECT */ +#define PF_RANDEXEC (1 << 10) /* Enable RANDEXEC */ +#define PF_NORANDEXEC (1 << 11) /* Disable RANDEXEC */ +#define PF_EMUTRAMP (1 << 12) /* Enable EMUTRAMP */ +#define PF_NOEMUTRAMP (1 << 13) /* Disable EMUTRAMP */ +#define PF_RANDMMAP (1 << 14) /* Enable RANDMMAP */ +#define PF_NORANDMMAP (1 << 15) /* Disable RANDMMAP */ +#endif + +#define XCLOSE(fd) \ +do \ +{ \ + if (close(fd)) \ + perror("close"); \ +} \ +while (0) + +#define FILE_IS_ELF64(h) (h.e_ident[EI_CLASS] == 2) +#define FILE_IS_ELF32(h) (h.e_ident[EI_CLASS] == 1) + +/* Extern variables */ +extern Elf32_Ehdr header_elf; +extern Elf64_Ehdr header_elf64; +extern struct exec header_aout; +extern int header_size; +extern void *header; +extern int fd; +extern unsigned long (*get_flags)(); +extern void (*put_flags)(unsigned long); + +/* Function prototypes */ +int read_header(char *name, int flags); +int write_header(); +unsigned long get_flags_elf(); +void put_flags_elf(unsigned long flags); +unsigned long get_flags_aout(); +void put_flags_aout(unsigned long flags); +unsigned long get_flags_elf64(); +void put_flags_elf64(unsigned long flags); +void usage(char *name); +unsigned long scan_flags(unsigned long flags, char **argv, int *view); +void print_flags(unsigned long flags); +char *pax_short_flags(unsigned long flags); diff --git a/default/paxtest/chpax-0.7/elf32.c b/default/paxtest/chpax-0.7/elf32.c new file mode 100644 index 0000000..50208aa --- /dev/null +++ b/default/paxtest/chpax-0.7/elf32.c @@ -0,0 +1,22 @@ +/* +** elf32.c for chpax +** +** The PaX project : http://pax.grsecurity.net/ +** +*/ +#include "chpax.h" + + +unsigned long get_flags_elf() +{ + u_long flags; + + flags = ((u_long) header_elf.e_ident[EI_PAX + 1] << 8) + (u_long) header_elf.e_ident[EI_PAX]; + return (flags); +} + +void put_flags_elf(unsigned long flags) +{ + header_elf.e_ident[EI_PAX] = (flags & 0xFF); + header_elf.e_ident[EI_PAX + 1] = ((flags >> 8) & 0xFF); +} diff --git a/default/paxtest/chpax-0.7/elf64.c b/default/paxtest/chpax-0.7/elf64.c new file mode 100644 index 0000000..6633190 --- /dev/null +++ b/default/paxtest/chpax-0.7/elf64.c @@ -0,0 +1,22 @@ +/* +** elf64.c for chpax +** +** The PaX project : http://pax.grsecurity.net/ +** +*/ +#include "chpax.h" + +unsigned long get_flags_elf64() +{ + u_long flags; + + flags = ((u_long) header_elf64.e_ident[EI_PAX + 1] << 8) + (u_long) header_elf.e_ident[EI_PAX]; + return (flags); +} + +void put_flags_elf64(unsigned long flags) +{ + header_elf64.e_ident[EI_PAX] = (flags & 0xFF); + header_elf64.e_ident[EI_PAX + 1] = ((flags >> 8) & 0xFF); +} + diff --git a/default/paxtest/chpax-0.7/flags.c b/default/paxtest/chpax-0.7/flags.c new file mode 100644 index 0000000..73e9c8a --- /dev/null +++ b/default/paxtest/chpax-0.7/flags.c @@ -0,0 +1,147 @@ +/* +** flags.c for chpax +** +** The PaX project : http://pax.grsecurity.net/ +** +*/ +#include "chpax.h" + + +#define USAGE \ +"%s %s .::. Manage PaX flags for binaries\n" \ +"Usage: %s OPTIONS FILE1 FILE2 FILEN ...\n" \ +" -P\tenforce paging based non-executable pages\n" \ +" -p\tdo not enforce paging based non-executable pages\n" \ +" -E\temulate trampolines\n" \ +" -e\tdo not emulate trampolines\n" \ +" -M\trestrict mprotect()\n" \ +" -m\tdo not restrict mprotect()\n" \ +" -R\trandomize mmap() base [ELF only]\n" \ +" -r\tdo not randomize mmap() base [ELF only]\n" \ +" -X\trandomize ET_EXEC base [ELF only]\n" \ +" -x\tdo not randomize ET_EXEC base [ELF only]\n" \ +" -S\tenforce segmentation based non-executable pages\n" \ +" -s\tdo not enforce segmentation based non-executable pages\n" \ +" -v\tview current flag mask \n" \ +" -z\tzero flag mask (next flags still apply)\n\n" \ +"The flags only have effect when running the patched Linux kernel.\n" \ + + +void usage(char *name) +{ + char *ptr; + + ptr = (name ? name : "chpax"); + printf(USAGE, ptr, CHPAX_VERSION, ptr); + exit(1); +} + + +unsigned long scan_flags(unsigned long flags, char **argv, int *view) +{ + int index; + + for (index = 1; argv[1][index]; index++) + switch (argv[1][index]) + { + + case 'p': + flags |= HF_PAX_PAGEEXEC; + continue ; + + case 'P': + flags = (flags & ~HF_PAX_PAGEEXEC) | HF_PAX_SEGMEXEC; + continue ; + + case 'E': + flags |= HF_PAX_EMUTRAMP; + continue ; + + case 'e': + flags = (flags & ~HF_PAX_EMUTRAMP); + continue ; + + case 'm': + flags |= HF_PAX_MPROTECT; + continue ; + + case 'M': + flags = (flags & ~HF_PAX_MPROTECT); + continue ; + + case 'r': + flags |= HF_PAX_RANDMMAP; + continue ; + + case 'R': + flags = (flags & ~HF_PAX_RANDMMAP); + continue ; + + case 'X': + flags |= HF_PAX_RANDEXEC; + continue ; + + case 'x': + flags = (flags & ~HF_PAX_RANDEXEC); + continue ; + + case 's': + flags |= HF_PAX_SEGMEXEC; + continue ; + + case 'S': + flags = (flags & ~HF_PAX_SEGMEXEC) | HF_PAX_PAGEEXEC; + continue ; + + case 'v': + *view = 1; + continue ; + + case 'z': + flags = 0; + continue ; + + default: + fprintf(stderr, "Unknown option %c \n", argv[1][index]); + usage(argv[0]); + } + + return (flags); +} + + +char *pax_short_flags(unsigned long flags) +{ + static char buffer[7]; + + buffer[0] = (flags & HF_PAX_PAGEEXEC ? 'p' : 'P'); + buffer[1] = (flags & HF_PAX_EMUTRAMP ? 'E' : 'e'); + buffer[2] = (flags & HF_PAX_MPROTECT ? 'm' : 'M'); + buffer[3] = (flags & HF_PAX_RANDMMAP ? 'r' : 'R'); + buffer[4] = (flags & HF_PAX_RANDEXEC ? 'X' : 'x'); + buffer[5] = (flags & HF_PAX_SEGMEXEC ? 's' : 'S'); + return buffer; +} + + +void print_flags(unsigned long flags) +{ + printf(" * Paging based PAGE_EXEC : %s \n" + " * Trampolines : %s \n" + " * mprotect() : %s \n" + " * mmap() base : %s \n" + " * ET_EXEC base : %s \n" + " * Segmentation based PAGE_EXEC : %s \n", + flags & HF_PAX_PAGEEXEC + ? "disabled" : flags & HF_PAX_SEGMEXEC ? "enabled" : "enabled (overridden)", + flags & HF_PAX_EMUTRAMP + ? "emulated" : "not emulated", + flags & HF_PAX_MPROTECT + ? "not restricted" : "restricted", + flags & HF_PAX_RANDMMAP + ? "not randomized" : "randomized", + flags & HF_PAX_RANDEXEC + ? "randomized" : "not randomized", + flags & HF_PAX_SEGMEXEC + ? "disabled" : "enabled"); +} diff --git a/default/paxtest/chpax-0.7/io.c b/default/paxtest/chpax-0.7/io.c new file mode 100644 index 0000000..0c8d78d --- /dev/null +++ b/default/paxtest/chpax-0.7/io.c @@ -0,0 +1,118 @@ +/* +** io.c for chpax +** +** The PaX project : http://pax.grsecurity.net/ +** +*/ +#include "chpax.h" + +#ifndef EM_X86_64 +#define EM_X86_64 62 +#endif + +/* Read flags */ +int read_header(char *name, int flags) +{ + char *ptr; + int size; + int block; + + if ((fd = open(name, flags)) < 0) + return 1; + + ptr = (char *) &header_elf64; + size = sizeof(header_elf64); + + do + { + block = read(fd, ptr, size); + if (block <= 0) + return (block ? 1 : 2); + ptr += block; + size -= block; + } + while (size > 0); + + memcpy(&header_aout, &header_elf64, sizeof(header_aout)); + memcpy(&header_elf, &header_elf64, sizeof(header_elf)); + + if (!memcmp(header_elf64.e_ident, ELFMAG, SELFMAG) && FILE_IS_ELF64(header_elf64)) + { + if (header_elf64.e_type != ET_EXEC && header_elf.e_type != ET_DYN) + return 2; + if (header_elf64.e_machine != EM_SPARC && + header_elf64.e_machine != EM_SPARCV9 && + header_elf64.e_machine != EM_ALPHA && + header_elf64.e_machine != EM_X86_64 && + header_elf64.e_machine != EM_IA_64 && + header_elf64.e_machine != EM_PPC64) + return 3; + header = &header_elf64; + header_size = sizeof(header_elf64); + get_flags = get_flags_elf64; + put_flags = put_flags_elf64; + } + + else if (!memcmp(header_elf.e_ident, ELFMAG, SELFMAG) && FILE_IS_ELF32(header_elf)) + { + if (header_elf.e_type != ET_EXEC && header_elf.e_type != ET_DYN) + return 2; + if (header_elf.e_machine != EM_386 && + header_elf.e_machine != EM_SPARC && + header_elf.e_machine != EM_SPARC32PLUS && + header_elf.e_machine != EM_PARISC && + header_elf.e_machine != EM_PPC && + header_elf.e_machine != EM_MIPS && + header_elf.e_machine != EM_MIPS_RS3_LE) + return 3; + header = &header_elf; + header_size = sizeof(header_elf); + get_flags = get_flags_elf; + put_flags = put_flags_elf; + } + + else if (N_MAGIC(header_aout) == NMAGIC || + N_MAGIC(header_aout) == ZMAGIC || + N_MAGIC(header_aout) == QMAGIC) + { + + if (N_MACHTYPE(header_aout) != M_386) + return 3; + header = &header_aout; + header_size = 4; + get_flags = get_flags_aout; + put_flags = put_flags_aout; + } + + else + return (2); + + return (0); +} + + +/* Write flags */ +int write_header() +{ + char *ptr; + int size; + int block; + + if ((off_t)-1 == lseek(fd, 0, SEEK_SET)) + return 1; + + ptr = (char *) header; + size = header_size; + + do + { + block = write(fd, ptr, size); + if (block <= 0) + break; + ptr += block; + size -= block; + } + while (size > 0); + + return size; +} diff --git a/default/paxtest/crt1S.S b/default/paxtest/crt1S.S new file mode 100644 index 0000000..c98b95e --- /dev/null +++ b/default/paxtest/crt1S.S @@ -0,0 +1,57 @@ + .text + .globl _start + .type _start,@function +_start: + popl %esi + movl %esp, %ecx + andl $0xfffffff0, %esp + call .L1 +.L1: + pop %ebp + addl $_GLOBAL_OFFSET_TABLE_+[.-.L1],%ebp + pushl %eax + pushl %esp + pushl %edx + pushl _fini@GOT(%ebp) + pushl _init@GOT(%ebp) + pushl %ecx + pushl %esi + pushl main@GOT(%ebp) + pushl .hlt@GOT(%ebp) + pushl __libc_start_main@GOT(%ebp) + xorl %ebp, %ebp + ret +.hlt: + hlt + + .section .rodata + .globl _fp_hw +_fp_hw: .long 3 + .size _fp_hw, 4 + .type _fp_hw,@object + + .data + .globl __data_start +__data_start: + .long 0 + .weak data_start + data_start = __data_start + + .section ".note.ABI-tag", "a" + .align 4 + .long 1f - 0f + .long 3f - 2f + .long 1 +0: .asciz "GNU" +1: .align 4 +2: .long 0 + .long 2,0,0 +3: .align 4 + + .section .rodata + .globl _IO_stdin_used + .align 4 +_IO_stdin_used: + .long 0x20001 + .size _IO_stdin_used,4 + .type _IO_stdin_used,@object diff --git a/default/paxtest/debian/changelog b/default/paxtest/debian/changelog new file mode 100644 index 0000000..b9f4872 --- /dev/null +++ b/default/paxtest/debian/changelog @@ -0,0 +1,75 @@ +paxtest (0.9.9--3) stable; urgency=low + * fixed Makefile to use -nopie for Gentoo Hardened on ET_EXEC tests + +paxtest (0.9.9-2) stable; urgency=low + * fixed writable text segments test under gcc 4.5 optimizations + +paxtest (0.9.9-1) stable; urgency=low + * added SPARC/64 support + * added PPC/64 support (return to function tests should be ignored for PPC64) + * added 32/64bit target support + * added shellode.h to easily support additional architectures + * made paxctl generate the PT_PAX_FLAGS header for binaries that + didn't have one + +paxtest (0.9.7-1) stable; urgency=low + * Fixed some tests on OpenBSD and FreeBSD (thanks to paxtest(a)hunger.hu + and mux(a)freebsd.org) + * Fixed return address acquisition, still gcc specific + * Switched to paxctl on gentoo + * Fixed setting up LD_LIBRARY_PATH in genpaxtest (Peter S. Mazinger) + * Added uClibc support (Peter S. Mazinger) + * Fixed the executable shared library data/bss tests (thanks to + paxtest(a)hunger.hu) + +paxtest (0.9.6-1) stable; urgency=low + + * Made the do_mprotect() call in body.c optional, thereby introducing two + modes: script kiddie mode (which does not perform the do_mprotect()) and + blackhat mode, which does. + * Added a README file + * Added Adamantix paxtest results + * Removed -etdyn from the Adamantix make file + * Replaced mprotect() in body.c with pthread calls (which eventually have + the same result) + * Added a nested function, to measure the effect of nested functions on the + level of protection. + * Added paxtest result from Gentoo hardened (thanks to Ned Ludd) + * Added a new Makefile for Gentoo (thanks to Ned Ludd) + * Fixed spelling errors (thanks to pageexec(a)freemail.hu) + + -- Peter Busser <peter(a)devbox.adamantix.org&gt; Wed, 25 Feb 2004 20:24:53 +0200 + +paxtest (0.9.5-1) unstable; urgency=low + + * Fixed the shlibbss and shlibdata tests (pageexec(a)freemail.hu) + * Non-executable page tests expose incomplete implementations + (pageexec(a)freemail.hu) + + -- Peter Busser <peter(a)adamantix.org&gt; Tue, 04 Nov 2003 16:37:26 +0200 + +paxtest (0.9.4-1) unstable; urgency=low + + * Fixed mprotanon (pageexec(a)freemail.hu) + * Fixed rettofunc[12] (pageexec(a)freemail.hu) + * Fixed shared library data/bss tests (pageexec(a)freemail.hu) + * Introduced return-to-libc detection as proof-of-concept + (pageexec(a)freemail.hu) + + -- Peter Busser <peter(a)adamantix.org&gt; Tue, 22 Oct 2003 21:00:05 +0200 + +paxtest (0.9.3-1) unstable; urgency=low + + * Changed e-mail addresses in source files to peter(a)adamantix.org + * Added copyright message printing in the run script. + * Upgraded to chpax v0.5 (pageexec(a)freemail.hu) + * Split randheap in two parts, one as ET_EXEC and the other as ET_DYN + + -- Peter Busser <peter(a)adamantix.org&gt; Sun, 12 Oct 2003 10:58:52 +0200 + +paxtest (0.9.0-1) unstable; urgency=low + + * Initial Release. + + -- Peter Busser <peter(a)trusteddebian.org&gt; Mon, 19 May 2003 13:44:39 +0200 + diff --git a/default/paxtest/debian/control b/default/paxtest/debian/control new file mode 100644 index 0000000..194da0e --- /dev/null +++ b/default/paxtest/debian/control @@ -0,0 +1,24 @@ +Source: paxtest +Section: main +Priority: optional +Maintainer: Peter Busser <peter(a)adamantix.org&gt; +Build-Depends: debhelper (>> 3.0.0), gcc, binutils +Standards-Version: 3.5.2 + +Package: paxtest +Architecture: i386 +Depends: ${shlibs:Depends} +Description: a-: Test suite for the PaX kernel patch + PaX is a Linux kernel patch which adds much stricter control on how memory + is being used by applications. A normal Linux kernel leaves the control to the + application and does not implement any enforcement. Especially buffer overflow + attacks benefit from the absense of kernel enforced memory control. PaX tries + to do its best to enforce this control of memory used by applications, thereby + making it harder to successfully exploit buffer overflows. + . + Paxtest provides a regression test suite that covers most (but not all) + of PaX functionality. It can also be used to test other memory protection + patches. + . + For more information about PaX, see http://pax.grsecurity.net/. + diff --git a/default/paxtest/debian/copyright b/default/paxtest/debian/copyright new file mode 100644 index 0000000..862ec95 --- /dev/null +++ b/default/paxtest/debian/copyright @@ -0,0 +1,8 @@ +paxtest is copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + +Paxtest is licened under the terms of the GNU General Public License (GPL), +version 2.0 or later, as published by the Free Software Foundation. See +the file COPYING [included], /usr/share/common-licenses/GPL, or +<http://www.gnu.org/copyleft/gpl.txt> for the terms of the latest version +of the GNU General Public License. + diff --git a/default/paxtest/debian/dirs b/default/paxtest/debian/dirs new file mode 100644 index 0000000..ca882bb --- /dev/null +++ b/default/paxtest/debian/dirs @@ -0,0 +1,2 @@ +usr/bin +usr/sbin diff --git a/default/paxtest/debian/docs b/default/paxtest/debian/docs new file mode 100644 index 0000000..5b5d593 --- /dev/null +++ b/default/paxtest/debian/docs @@ -0,0 +1,5 @@ +COPYING +README +results/Results.README +results/Adamantix.kiddie +results/Adamantix.blackhat diff --git a/default/paxtest/debian/manpage.1.ex b/default/paxtest/debian/manpage.1.ex new file mode 100644 index 0000000..125432b --- /dev/null +++ b/default/paxtest/debian/manpage.1.ex @@ -0,0 +1,60 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH PAXTEST SECTION "May 19, 2003" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp <n> insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +paxtest \- program to do something +.SH SYNOPSIS +.B paxtest +.RI [ options ] " files" ... +.br +.B bar +.RI [ options ] " files" ... +.SH DESCRIPTION +This manual page documents briefly the +.B paxtest +and +.B bar +commands. +This manual page was written for the Debian distribution +because the original program does not have a manual page. +Instead, it has documentation in the GNU Info format; see below. +.PP +.\" TeX users may be more comfortable with the \fB<whatever>\fP and +.\" \fI<whatever>\fP escape sequences to invode bold face and italics, +.\" respectively. +\fBpaxtest\fP is a program that... +.SH OPTIONS +These programs follow the usual GNU command line syntax, with long +options starting with two dashes (`-'). +A summary of options is included below. +For a complete description, see the Info files. +.TP +.B \-h, \-\-help +Show summary of options. +.TP +.B \-v, \-\-version +Show version of program. +.SH SEE ALSO +.BR bar (1), +.BR baz (1). +.br +The programs are documented fully by +.IR "The Rise and Fall of a Fooish Bar" , +available via the Info system. +.SH AUTHOR +This manual page was written by Peter Busser <peter@dev>, +for the Debian GNU/Linux system (but may be used by others). diff --git a/default/paxtest/debian/manpage.sgml.ex b/default/paxtest/debian/manpage.sgml.ex new file mode 100644 index 0000000..e878798 --- /dev/null +++ b/default/paxtest/debian/manpage.sgml.ex @@ -0,0 +1,152 @@ +<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [ + +<!-- Process this file with docbook-to-man to generate an nroff manual + page: `docbook-to-man manpage.sgml > manpage.1'. You may view + the manual page with: `docbook-to-man manpage.sgml | nroff -man | + less'. A typical entry in a Makefile or Makefile.am is: + +manpage.1: manpage.sgml + docbook-to-man $< > $@ + + + The docbook-to-man binary is found in the docbook-to-man package. + Please remember that if you create the nroff version in one of the + debian/rules file targets (such as build), you will need to include + docbook-to-man in your Build-Depends control field. + + --> + + <!-- Fill in your name for FIRSTNAME and SURNAME. --> + <!ENTITY dhfirstname "<firstname>FIRSTNAME</firstname>"> + <!ENTITY dhsurname "<surname>SURNAME</surname>"> + <!-- Please adjust the date whenever revising the manpage. --> + <!ENTITY dhdate "<date>May 19, 2003</date>"> + <!-- SECTION should be 1-8, maybe w/ subsection other parameters are + allowed: see man(7), man(1). --> + <!ENTITY dhsection "<manvolnum>SECTION</manvolnum>"> + <!ENTITY dhemail "<email>peter@dev</email>"> + <!ENTITY dhusername "Peter Busser"> + <!ENTITY dhucpackage "<refentrytitle>PAXTEST</refentrytitle>"> + <!ENTITY dhpackage "paxtest"> + + <!ENTITY debian "<productname>Debian</productname>"> + <!ENTITY gnu "<acronym>GNU</acronym>"> +]> + +<refentry> + <refentryinfo> + <address> + &dhemail; + </address> + <author> + &dhfirstname; + &dhsurname; + </author> + <copyright> + <year>2001</year> + <holder>&dhusername;</holder> + </copyright> + &dhdate; + </refentryinfo> + <refmeta> + &dhucpackage; + + &dhsection; + </refmeta> + <refnamediv> + <refname>&dhpackage;</refname> + + <refpurpose>program to do something</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis> + <command>&dhpackage;</command> + + <arg><option>-e <replaceable>this</replaceable></option></arg> + + <arg><option>--example <replaceable>that</replaceable></option></arg> + </cmdsynopsis> + </refsynopsisdiv> + <refsect1> + <title>DESCRIPTION</title> + + <para>This manual page documents briefly the + <command>&dhpackage;</command> and <command>bar</command> + commands.</para> + + <para>This manual page was written for the &debian; distribution + because the original program does not have a manual page. + Instead, it has documentation in the &gnu; + <application>Info</application> format; see below.</para> + + <para><command>&dhpackage;</command> is a program that...</para> + + </refsect1> + <refsect1> + <title>OPTIONS</title> + + <para>These programs follow the usual GNU command line syntax, + with long options starting with two dashes (`-'). A summary of + options is included below. For a complete description, see the + <application>Info</application> files.</para> + + <variablelist> + <varlistentry> + <term><option>-h</option> + <option>--help</option> + </term> + <listitem> + <para>Show summary of options.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><option>-v</option> + <option>--version</option> + </term> + <listitem> + <para>Show version of program.</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + <refsect1> + <title>SEE ALSO</title> + + <para>bar (1), baz (1).</para> + + <para>The programs are documented fully by <citetitle>The Rise and + Fall of a Fooish Bar</citetitle> available via the + <application>Info</application> system.</para> + </refsect1> + <refsect1> + <title>AUTHOR</title> + + <para>This manual page was written by &dhusername; &dhemail; for + the &debian; system (but may be used by others). Permission is + granted to copy, distribute and/or modify this document under + the terms of the <acronym>GNU</acronym> Free Documentation + License, Version 1.1 or any later version published by the Free + Software Foundation; with no Invariant Sections, no Front-Cover + Texts and no Back-Cover Texts.</para> + + </refsect1> +</refentry> + +<!-- Keep this comment at the end of the file +Local variables: +mode: sgml +sgml-omittag:t +sgml-shorttag:t +sgml-minimize-attributes:nil +sgml-always-quote-attributes:t +sgml-indent-step:2 +sgml-indent-data:t +sgml-parent-document:nil +sgml-default-dtd-file:nil +sgml-exposed-tags:nil +sgml-local-catalogs:nil +sgml-local-ecat-files:nil +End: +--> + + diff --git a/default/paxtest/debian/paxtest.sgml b/default/paxtest/debian/paxtest.sgml new file mode 100644 index 0000000..65e90a0 --- /dev/null +++ b/default/paxtest/debian/paxtest.sgml @@ -0,0 +1,167 @@ +<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN" [ + + + <!-- Fill in your name for FIRSTNAME and SURNAME. --> + <!ENTITY dhfirstname "<firstname>Javier</firstname>"> + <!ENTITY dhsurname "<surname>Fernandez-Sanguino</surname>"> + <!-- Please adjust the date whenever revising the manpage. --> + <!ENTITY dhdate "<date>November 8, 2003</date>"> + <!-- SECTION should be 1-8, maybe w/ subsection other parameters are + allowed: see man(7), man(1). --> + <!ENTITY dhsection "<manvolnum>1</manvolnum>"> + <!ENTITY dhemail &quot;&lt;email&gt;jfs(a)computer.org&lt;/email&gt;&quot;&gt; + <!ENTITY dhusername "Javier Fernandez-Sanguino"> + <!ENTITY dhucpackage "<refentrytitle>PAXTEST</refentrytitle>"> + <!ENTITY dhpackage "paxtest"> + + <!ENTITY debian "<productname>Debian</productname>"> + <!ENTITY gnu "<acronym>GNU</acronym>"> +]> + +<refentry> + <refentryinfo> + <address> + &dhemail; + </address> + <author> + &dhfirstname; + &dhsurname; + </author> + <copyright> + <year>2003</year> + <holder>Peter Busser</holder> + </copyright> + &dhdate; + </refentryinfo> + <refmeta> + &dhucpackage; + + &dhsection; + </refmeta> + <refnamediv> + <refname>&dhpackage;</refname> + + <refpurpose>program to test buffer overflow protection</refpurpose> + </refnamediv> + <refsynopsisdiv> + <cmdsynopsis> + <command>&dhpackage;</command> + + <arg><replaceable>logfile</replaceable></arg> + </cmdsynopsis> + </refsynopsisdiv> + <refsect1> + <title>DESCRIPTION</title> + + <para><command>&dhpackage;</command> is a program that attempts to + test kernel enforcements over memory usage. Some attacks benefit + from kernels that do not impose limitations. For example, execution + in some memory segments makes buffer overflows possible. It is + used as a regression test suite for PaX, but might be useful + to test other memory protection patches for the kernel.</para> + + <para><command>&dhpackage;</command> runs a set of programs that + attempt to subvert memory usage. For example: + </para> + + <literallayout> +Executable anonymous mapping : Killed +Executable bss : Killed +Executable data : Killed +Executable heap : Killed +Executable stack : Killed +Executable anonymous mapping (mprotect) : Killed +Executable bss (mprotect) : Killed +Executable data (mprotect) : Killed +Executable heap (mprotect) : Killed +Executable shared library bss (mprotect) : Killed +Executable shared library data (mprotect): Killed +Executable stack (mprotect) : Killed +Anonymous mapping randomisation test : 16 bits (guessed) +Heap randomisation test (ET_EXEC) : 13 bits (guessed) +Heap randomisation test (ET_DYN) : 25 bits (guessed) +Main executable randomisation (ET_EXEC) : No randomisation +Main executable randomisation (ET_DYN) : 17 bits (guessed) +Stack randomisation test (SEGMEXEC) : 23 bits (guessed) +Stack randomisation test (PAGEEXEC) : 24 bits (guessed) +Return to function (strcpy) : Vulnerable +Return to function (strcpy, RANDEXEC) : Vulnerable +Return to function (memcpy) : Vulnerable +Return to function (memcpy, RANDEXEC) : Vulnerable +Executable shared library bss : Killed +Executable shared library data : Killed +Writable text segments : Killed + </literallayout> + + <para>The <quote>Executable ...</quote> tests basically put an instruction + in a place + that is supposed to be data (i.e. malloced data, C variable, etc.) + and tries to execute it. The <quote>(mprotect)</quote> tests try to trick + the kernel in marking this piece of memory as executable first. + Return to function tests overwrite the return address on the stack, + these are hard to prevent from inside the kernel. + The last test tries to overwrite memory which is marked as executable. + </para> + + <para>A normal Linux kernel (unpatched to protect for buffer overflows) + will show all tests as Vulnerable and no stack + randomisation or 6 bits (due to stack colouring). In other words, + on a normal Linux kernel you can execute any data inside a process's + memory or overwrite any code at will. + </para> + + <para>This manual page was written for the &debian; distribution + because the original program does not have a manual page. + </para> + + + </refsect1> + <refsect1> + <title>OPTIONS</title> + + <para>This program takes only a single option: a file to which + log all the test results (by default it will log to stdin/stdout) + </para> + </refsect1> + <refsect1> + <title>SEE ALSO</title> + + <para>For more information see + <ulink url="http://pax.grsecurity.net/docs">PaX Documentation</ulink>.</para> + + </refsect1> + <refsect1> + <title>AUTHOR</title> + + <para>&dhpackage; was written by Peter Busser.</para> + + <para>This manual page was written by &dhusername; &dhemail; for + the &debian; system (but may be used by others) based on the + information in the source code and Peter Busser's comments + sent to public mailing lists. Permission is + granted to copy, distribute and/or modify this document under + the terms of the <acronym>GNU</acronym> Public License, Version 2 + or any later version published by the Free + Software Foundation.</para> + + </refsect1> +</refentry> + +<!-- Keep this comment at the end of the file +Local variables: +mode: sgml +sgml-omittag:t +sgml-shorttag:t +sgml-minimize-attributes:nil +sgml-always-quote-attributes:t +sgml-indent-step:2 +sgml-indent-data:t +sgml-parent-document:nil +sgml-default-dtd-file:nil +sgml-exposed-tags:nil +sgml-local-catalogs:nil +sgml-local-ecat-files:nil +End: +--> + + diff --git a/default/paxtest/debian/rules b/default/paxtest/debian/rules new file mode 100644 index 0000000..aeb070b --- /dev/null +++ b/default/paxtest/debian/rules @@ -0,0 +1,104 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This is the debhelper compatibility version to use. +export DH_COMPAT=3 + +# +# The directory where the test programs and shared library are going to live +# +RUNDIR=/usr/lib/paxtest +export RUNDIR + +# +# The directory where the test script (paxtest) is going to live +# +BINDIR=/usr/bin +export BINDIR + +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) + CFLAGS += -g +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + + # Add here commands to compile the package. + $(MAKE) -f Makefile.Adamantix + #/usr/bin/docbook-to-man debian/paxtest.sgml > paxtest.1 + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + -$(MAKE) -f Makefile.Adamantix clean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/paxtest. + $(MAKE) -f Makefile.Adamantix install DESTDIR=$(CURDIR)/debian/paxtest + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot +# dh_installdebconf + dh_installdocs + dh_installexamples + dh_installmenu +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit + dh_installcron + dh_installman + dh_installinfo +# dh_undocumented + dh_installchangelogs + dh_link + dh_strip + dh_compress + dh_fixperms +# dh_makeshlibs + dh_installdeb +# dh_perl + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure diff --git a/default/paxtest/execbss.c b/default/paxtest/execbss.c new file mode 100644 index 0000000..dcf6a54 --- /dev/null +++ b/default/paxtest/execbss.c @@ -0,0 +1,31 @@ +/* execbss.c - Tests whether code in the .bss segment can be executed + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable bss "; + +char buf[MAX_SHELLCODE_LEN]; + +void doit( void ) +{ + fptr func; + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)&buf; + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/execdata.c b/default/paxtest/execdata.c new file mode 100644 index 0000000..46439ab --- /dev/null +++ b/default/paxtest/execdata.c @@ -0,0 +1,31 @@ +/* execdata.c - Tests whether code in the .data segment can be executed + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable data "; + +char buf[MAX_SHELLCODE_LEN] = SHELLCODE_RETURN_ARRAY; + +void doit( void ) +{ + fptr func; + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)&buf; + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/execheap.c b/default/paxtest/execheap.c new file mode 100644 index 0000000..456f0dc --- /dev/null +++ b/default/paxtest/execheap.c @@ -0,0 +1,36 @@ +/* execheap.c - Tests whether code in the heap can be executed + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable heap "; + +void doit( void ) +{ + char *buf; + fptr func; + + buf = malloc( MAX_SHELLCODE_LEN ); + if( buf == NULL ) { + fprintf( stderr, "Out of memory\n" ); + exit( 1 ); + } + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)buf; + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/execstack.c b/default/paxtest/execstack.c new file mode 100644 index 0000000..c63e003 --- /dev/null +++ b/default/paxtest/execstack.c @@ -0,0 +1,30 @@ +/* execstack.c - Tests whether code on the stack can be executed + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable stack "; + +void doit( void ) +{ + char buf[8192]; + fptr func; + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)buf; + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/genpaxtest b/default/paxtest/genpaxtest new file mode 100644 index 0000000..5a22e15 --- /dev/null +++ b/default/paxtest/genpaxtest @@ -0,0 +1,74 @@ +#!/bin/sh +# +# Script to run all the PaX memory protection tests +# +# Copyright(c) 2003,2004 by Peter Busser <peter(a)adamantix.org&gt; +# This file has been released under the GNU Public Licence version 2 or later. +# See the file COPYING for details. +# + +echo $RUNDIR +if [ "${RUNDIR}" = "" ] +then + RUNDIR=. +fi + +cat << __here__ > paxtest +#!/bin/sh + +if [ \$# = 1 ] +then + if [ "\$1" = "kiddie" ] + then + PAXTEST_MODE=0 + elif [ "\$1" = "blackhat" ] + then + PAXTEST_MODE=1 + else + echo "usage: paxtest [kiddie|blackhat]" + exit 1 + fi +else + echo "usage: paxtest [kiddie|blackhat]" + exit 1 +fi + +export PAXTEST_MODE + +if [ "\${LD_LIBRARY_PATH}" = "" ] +then + LD_LIBRARY_PATH=${RUNDIR} +else + LD_LIBRARY_PATH=\${LD_LIBRARY_PATH}:${RUNDIR} +fi +export LD_LIBRARY_PATH + +cat <<__end__ | tee paxtest.log +PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter(a)adamantix.org&gt; +Released under the GNU Public Licence version 2 or later + +__end__ + +echo "Mode: \$1" >>paxtest.log +uname -a >>paxtest.log +echo >>paxtest.log + +echo 'Writing output to paxtest.log' +echo 'It may take a while for the tests to complete' + +for i in $* +do + ${RUNDIR}/\$i +done >>paxtest.log 2>&1 + +echo "Test results:" +cat paxtest.log + +echo + +__here__ + +chmod 755 paxtest + +exit 0 + diff --git a/default/paxtest/getamap.c b/default/paxtest/getamap.c new file mode 100644 index 0000000..2595df5 --- /dev/null +++ b/default/paxtest/getamap.c @@ -0,0 +1,30 @@ +/* getamap.c - Get the address of the first anonymous mapping + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/mman.h> + + +#ifndef MAP_ANONYMOUS +#define MAP_ANONYMOUS MAP_ANON +#endif + +int main( int argc, char *argv[] ) +{ + char *buf; + + buf = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + if( buf == MAP_FAILED ) { + fprintf( stderr, "mmap() returned NULL\n" ); + exit( 1 ); + } + + printf( "%p\n", buf ); + + exit( 0 ); +} diff --git a/default/paxtest/getheap.c b/default/paxtest/getheap.c new file mode 100644 index 0000000..2f2372c --- /dev/null +++ b/default/paxtest/getheap.c @@ -0,0 +1,24 @@ +/* getheap.c - Get the address of the first element allocated on the heap and + * print it. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <stdlib.h> + +int main( int argc, char *argv[] ) +{ + char *p; + + p = malloc( 100 ); + if( p == NULL ) { + perror( "getheap" ); + exit( 1 ); + } + + printf( "%p\n", p ); + + exit( 0 ); +} diff --git a/default/paxtest/getmain.c b/default/paxtest/getmain.c new file mode 100644 index 0000000..0ff2373 --- /dev/null +++ b/default/paxtest/getmain.c @@ -0,0 +1,19 @@ +/* getmain.c - Get the address of the main function and print it + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <stdlib.h> + +void foo(void) +{ + printf( "%p\n", __builtin_return_address(0) ); +} + +int main( int argc, char *argv[] ) +{ + foo(); + exit(0); +} diff --git a/default/paxtest/getshlib.c b/default/paxtest/getshlib.c new file mode 100644 index 0000000..1befcb0 --- /dev/null +++ b/default/paxtest/getshlib.c @@ -0,0 +1,36 @@ +/* getshlib.c - Get the address of a function in a shared library and print it + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <dlfcn.h> + +/* OpenBSD 3.5 doesn't define RTLD_DEFAULT */ +/* OpenBSD 3.6 does but it doesn't actually handle (segfaults on) RTLD_DEFAULT, sigh... */ +#ifdef __OpenBSD__ +#undef RTLD_DEFAULT +#define RTLD_DEFAULT "libc.so" +#endif + +int main( int argc, char *argv[] ) +{ + void *handle; + + handle = dlopen( RTLD_DEFAULT, RTLD_LAZY ); + if( handle != NULL ) { + void *sprintf; + + dlerror(); /* clear any errors */ + sprintf = dlsym( handle, "sprintf" ); + + if( dlerror() == NULL ) { + printf( "%p\n", sprintf ); + } + + dlclose( handle ); + } +} diff --git a/default/paxtest/getstack.c b/default/paxtest/getstack.c new file mode 100644 index 0000000..44b4106 --- /dev/null +++ b/default/paxtest/getstack.c @@ -0,0 +1,18 @@ +/* getstack.c - Get the location of the stack and print it + * (Idea by Peter Roozemaal) + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <stdlib.h> + +int main( int argc, char *argv[] ){ + char a; + + printf( "%p\n", &a ); + + exit( 0 ); +} + diff --git a/default/paxtest/interp.c b/default/paxtest/interp.c new file mode 100644 index 0000000..e7ce97b --- /dev/null +++ b/default/paxtest/interp.c @@ -0,0 +1,5 @@ +#ifdef __UCLIBC__ +const char __invoke_dynamic_linker__[] __attribute__ ((section (".interp"))) = "/lib/ld-uClibc.so.0"; +#else +const char __invoke_dynamic_linker__[] __attribute__ ((section (".interp"))) = "/lib/ld-linux.so.2"; +#endif diff --git a/default/paxtest/mprotanon.c b/default/paxtest/mprotanon.c new file mode 100644 index 0000000..84a4099 --- /dev/null +++ b/default/paxtest/mprotanon.c @@ -0,0 +1,65 @@ +/* mprotanon.c - Tests whether code can be executed in anonymous mappings + * after trying to use mprotect() to make it executable. + * + * Copyright (c)2003,2004 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <sys/mman.h> +#include "body.h" +#include "shellcode.h" + +#ifndef MAP_ANONYMOUS +#define MAP_ANONYMOUS MAP_ANON +#endif + +const char testname[] = "Executable anonymous mapping (mprotect) "; + +void doit( void ) +{ + char *buf; + fptr func; + + buf = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + if( buf == MAP_FAILED ) { + fprintf( stderr, "mmap() returned NULL\n" ); + exit( 1 ); + } + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)buf; + + /* Try to make the anonymous mapping executable first by using + * mprotect. + * + * Some people like to disable this call to make the results look + * better for their system. + * + * The whole purpose of this call is to figure out how the system + * handles mprotect() calls. If it allows the application to use + * mprotect() to override kernel settings, then that is something + * the user of this test suite may like to know. + * + * And yes, I know that this is how UNIX is supposed to work and that + * it is a design decision to allow this override. All the more reason + * to be honest and open about it and to tell the user why (s)he has + * to trade in a bit of security for compatibility. + * + * But then, it is of course easier to simply disable this mprotect() + * call than to fix your kernel and userland. + */ + /* Due to a FreeBSD bug PROT_READ is required */ + do_mprotect( buf, 4096, PROT_READ|PROT_EXEC ); + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/mprotbss.c b/default/paxtest/mprotbss.c new file mode 100644 index 0000000..8a1e3b4 --- /dev/null +++ b/default/paxtest/mprotbss.c @@ -0,0 +1,39 @@ +/* mprotbss.c - Tests whether code in the .bss segment can be executed after + * trying to use mprotect() to make it executable + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <sys/mman.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable bss (mprotect) "; + +char buf[MAX_SHELLCODE_LEN]; + +void doit( void ) +{ + fptr func; + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)&buf; + + /* Try to make the bss executable first by using mprotect */ + /* Due to a FreeBSD bug PROT_READ is required */ + do_mprotect( &buf, sizeof(buf), PROT_READ|PROT_EXEC ); + + /* Call the code in the buffer */ + func(); + + do_mprotect( &buf, sizeof(buf), PROT_READ|PROT_WRITE ); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/mprotdata.c b/default/paxtest/mprotdata.c new file mode 100644 index 0000000..cad600a --- /dev/null +++ b/default/paxtest/mprotdata.c @@ -0,0 +1,39 @@ +/* mprotdata.c - Tests whether code in the .data segment can be executed after + * trying to use mprotect() to make it executable. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <sys/mman.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable data (mprotect) "; + +char buf[MAX_SHELLCODE_LEN] = SHELLCODE_RETURN_ARRAY; + +void doit( void ) +{ + fptr func; + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)&buf; + + /* Try to make the data executable first by using mprotect */ + /* Due to an OpenBSD bug PROT_READ is required */ + do_mprotect( &buf, sizeof(buf), PROT_READ|PROT_EXEC ); + + /* Call the code in the buffer */ + func(); + + do_mprotect( &buf, sizeof(buf), PROT_READ|PROT_WRITE ); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/mprotheap.c b/default/paxtest/mprotheap.c new file mode 100644 index 0000000..e3a56b2 --- /dev/null +++ b/default/paxtest/mprotheap.c @@ -0,0 +1,44 @@ +/* mprotheap.c - Tests whether code on the heap can be executed after trying to + * use mprotect() to make it executable. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <sys/mman.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable heap (mprotect) "; + +void doit( void ) +{ + char *buf; + fptr func; + + buf = malloc( MAX_SHELLCODE_LEN ); + if( buf == NULL ) { + fprintf( stderr, "Out of memory\n" ); + exit( 1 ); + } + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Try to make the buffer executable by using mprotect() */ + /* Due to a FreeBSD bug PROT_READ is required */ + do_mprotect( buf, SIZE_OF_SHELLCODE_RETURN, PROT_READ|PROT_EXEC ); + + /* Convert the pointer to a function pointer */ + func = (fptr)buf; + + /* Call the code in the buffer */ + func(); + + do_mprotect( buf, MAX_SHELLCODE_LEN, PROT_READ|PROT_WRITE ); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/mprotshbss.c b/default/paxtest/mprotshbss.c new file mode 100644 index 0000000..15a1dbb --- /dev/null +++ b/default/paxtest/mprotshbss.c @@ -0,0 +1,71 @@ +/* mprotshbss.c - Tests whether code in the .bss segment of a shared library can + * be executed after trying to use mprotect() to make it + * executable. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <dlfcn.h> +#include <sys/mman.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable shared library bss (mprotect) "; + +void doit( void ) +{ + char *shbss; + char *shbss2; + fptr func; + void *handle1, *handle2; + + handle1 = dlopen( "shlibtest.so", RTLD_LAZY ); + if( handle1 == NULL ) { + fprintf( stderr, "dlopen() returned NULL\n" ); + exit( 1 ); + } + dlerror(); /* clear any errors */ + shbss = dlsym( handle1, "shbss" ); + if( dlerror() != NULL ) { + fprintf( stderr, "symbol %s not found in %s\n", "shbss", "shlibtest.so" ); + exit( 1 ); + } + + handle2 = dlopen( "shlibtest2.so", RTLD_LAZY ); + if( handle2 == NULL ) { + fprintf( stderr, "dlopen() returned NULL\n" ); + exit( 1 ); + } + dlerror(); /* clear any errors */ + shbss2 = dlsym( handle2, "shbss2" ); + if( dlerror() != NULL ) { + fprintf( stderr, "symbol %s not found in %s\n", "shbss2", "shlibtest2.so" ); + exit( 1 ); + } + + copy_shellcode(shbss, SHELLCODE_RETURN); + copy_shellcode(shbss2, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = shbss < shbss2 ? (fptr)shbss : (fptr)shbss2; + + /* Try to make the memory region executable by using mprotect() */ + /* Due to an OpenBSD bug PROT_READ is required */ + do_mprotect(func, MAX_SHELLCODE_LEN, PROT_READ|PROT_EXEC ); + + /* Call the code in the buffer */ + func(); + + do_mprotect(func, MAX_SHELLCODE_LEN, PROT_READ|PROT_WRITE ); + + /* It worked when the function returns */ + itworked(); + + dlclose( handle1 ); + dlclose( handle2 ); +} diff --git a/default/paxtest/mprotshdata.c b/default/paxtest/mprotshdata.c new file mode 100644 index 0000000..5a4e56c --- /dev/null +++ b/default/paxtest/mprotshdata.c @@ -0,0 +1,71 @@ +/* mprotshdata.c - Tests whether code in the .data segment of a shared library + * can be executed after trying to use mprotect() to make it + * executable. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <dlfcn.h> +#include <sys/mman.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable shared library data (mprotect)"; + +void doit( void ) +{ + fptr func; + char *shdata, *shdata2; + void *handle1, *handle2; + + handle1 = dlopen( "shlibtest.so", RTLD_LAZY ); + if( handle1 == NULL ) { + fprintf( stderr, "dlopen() returned NULL\n" ); + exit( 1 ); + } + dlerror(); /* clear any errors */ + shdata = dlsym( handle1, "shdata" ); + if( dlerror() != NULL ) { + fprintf( stderr, "symbol %s not found in %s\n", "shdata", "shlibtest.so" ); + exit( 1 ); + } + + handle2 = dlopen( "shlibtest2.so", RTLD_LAZY ); + if( handle2 == NULL ) { + fprintf( stderr, "dlopen() returned NULL\n" ); + exit( 1 ); + } + dlerror(); /* clear any errors */ + shdata2 = dlsym( handle2, "shdata2" ); + if( dlerror() != NULL ) { + fprintf( stderr, "symbol %s not found in %s\n", "shdata2", "shlibtest2.so" ); + exit( 1 ); + } + + copy_shellcode(shdata, SHELLCODE_RETURN); + copy_shellcode(shdata2, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = shdata < shdata2 ? (fptr)shdata : (fptr)shdata2; + + /* Try to make the memory region executable by using mprotect() */ + /* Due to an OpenBSD bug PROT_READ is required */ + do_mprotect( func, MAX_SHELLCODE_LEN, PROT_READ|PROT_EXEC ); + + /* Call the code in the buffer */ + func(); + + do_mprotect( func, MAX_SHELLCODE_LEN, PROT_READ|PROT_WRITE ); + + /* It worked when the function returns */ + itworked(); + + dlclose( handle1 ); + dlclose( handle2 ); +} + diff --git a/default/paxtest/mprotstack.c b/default/paxtest/mprotstack.c new file mode 100644 index 0000000..b5f8fe9 --- /dev/null +++ b/default/paxtest/mprotstack.c @@ -0,0 +1,35 @@ +/* mprotstack.c - Tests whether code on the stack can be executed after trying + * to make it executable by using mprotect(). + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <sys/mman.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable stack (mprotect) "; + +void doit( void ) +{ + char buf[MAX_SHELLCODE_LEN]; + fptr func; + + copy_shellcode(buf, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = (fptr)&buf; + + /* Try to make the stack executable first */ + do_mprotect( &buf, sizeof(buf), PROT_READ|PROT_WRITE|PROT_EXEC ); + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); +} diff --git a/default/paxtest/randamap.c b/default/paxtest/randamap.c new file mode 100644 index 0000000..96f38b6 --- /dev/null +++ b/default/paxtest/randamap.c @@ -0,0 +1,12 @@ +/* randamap.c - Tests the randomisation of anonymous mappings. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#ifndef RUNDIR +#error RUNDIR not defined +#endif + +const char testname[] = "Anonymous mapping randomisation test "; +const char testprog[] = RUNDIR"/getamap"; diff --git a/default/paxtest/randbody.c b/default/paxtest/randbody.c new file mode 100644 index 0000000..bd78f12 --- /dev/null +++ b/default/paxtest/randbody.c @@ -0,0 +1,63 @@ +/* randbody.c - This part is shared by the randomisation tests + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <stdlib.h> + +#define COUNT (25) + +extern const char testname[]; +extern const char testprog[]; + +int main( int argc, char *argv[] ) +{ + FILE *fp; + int i; + unsigned long tmp; + unsigned long and; + unsigned long or; + int bits; + int ret; + + printf( "%s: ", testname ); + + and = ~0L; + or = 0L; + for( i = 0; i < COUNT; i++ ) { + fp = popen( testprog, "r" ); + if( fp == NULL ) { + perror( testprog ); + exit( 1 ); + } + + ret = fscanf( fp, "%lx", &tmp ); + if (ret != 1) { + perror ( testprog ); + exit( 1 ); + } + and &= tmp; + or |= tmp; + + pclose( fp ); + } + + if( and == or ) { + printf( "No randomisation\n" ); + } else { + tmp = and ^ ~or; + tmp = or & ~tmp; + bits = 0; + while( tmp != 0 ) { + bits += (tmp%2); + tmp >>= 1; + } + + printf( "%d bits (guessed)\n", bits ); + } + + exit( 0 ); +} + diff --git a/default/paxtest/randheap1.c b/default/paxtest/randheap1.c new file mode 100644 index 0000000..a7e2d2c --- /dev/null +++ b/default/paxtest/randheap1.c @@ -0,0 +1,12 @@ +/* randheap1.c - Tests the randomisation of the heap of ET_EXEC main executable. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#ifndef RUNDIR +#error RUNDIR not defined +#endif + +const char testname[] = "Heap randomisation test (ET_EXEC) "; +const char testprog[] = RUNDIR"/getheap1"; diff --git a/default/paxtest/randheap2.c b/default/paxtest/randheap2.c new file mode 100644 index 0000000..13e4fb8 --- /dev/null +++ b/default/paxtest/randheap2.c @@ -0,0 +1,12 @@ +/* randheap2.c - Tests the randomisation of the heap of PIE main executable. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#ifndef RUNDIR +#error RUNDIR not defined +#endif + +const char testname[] = "Heap randomisation test (PIE) "; +const char testprog[] = RUNDIR"/getheap2"; diff --git a/default/paxtest/randmain1.c b/default/paxtest/randmain1.c new file mode 100644 index 0000000..dd7c914 --- /dev/null +++ b/default/paxtest/randmain1.c @@ -0,0 +1,12 @@ +/* randmain1.c - Tests the randomisation of ET_EXEC main executable + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#ifndef RUNDIR +#error RUNDIR not defined +#endif + +const char testname[] = "Main executable randomisation (ET_EXEC) "; +const char testprog[] = RUNDIR"/getmain1"; diff --git a/default/paxtest/randmain2.c b/default/paxtest/randmain2.c new file mode 100644 index 0000000..6f3a85b --- /dev/null +++ b/default/paxtest/randmain2.c @@ -0,0 +1,12 @@ +/* randmain2.c - Tests the randomisation of the ET_DYN main executable + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#ifndef RUNDIR +#error RUNDIR not defined +#endif + +const char testname[] = "Main executable randomisation (PIE) "; +const char testprog[] = RUNDIR"/getmain2"; diff --git a/default/paxtest/randshlib.c b/default/paxtest/randshlib.c new file mode 100644 index 0000000..8a6f52f --- /dev/null +++ b/default/paxtest/randshlib.c @@ -0,0 +1,12 @@ +/* randshlib.c - Tests the randomisation of shared library loading + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#ifndef RUNDIR +#error RUNDIR not defined +#endif + +const char testname[] = "Shared library randomisation test "; +const char testprog[] = RUNDIR"/getshlib"; diff --git a/default/paxtest/randstack1.c b/default/paxtest/randstack1.c new file mode 100644 index 0000000..9efe223 --- /dev/null +++ b/default/paxtest/randstack1.c @@ -0,0 +1,12 @@ +/* randstack.c - Tests the randomisation of the stack pointer. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#ifndef RUNDIR +#error RUNDIR not defined +#endif + +const char testname[] = "Stack randomisation test (SEGMEXEC) "; +const char testprog[] = RUNDIR"/getstack1"; diff --git a/default/paxtest/randstack2.c b/default/paxtest/randstack2.c new file mode 100644 index 0000000..78f1719 --- /dev/null +++ b/default/paxtest/randstack2.c @@ -0,0 +1,12 @@ +/* randstack.c - Tests the randomisation of the stack pointer. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#ifndef RUNDIR +#error RUNDIR not defined +#endif + +const char testname[] = "Stack randomisation test (PAGEEXEC) "; +const char testprog[] = RUNDIR"/getstack2"; diff --git a/default/paxtest/results/Adamantix.blackhat b/default/paxtest/results/Adamantix.blackhat new file mode 100644 index 0000000..b0ac914 --- /dev/null +++ b/default/paxtest/results/Adamantix.blackhat @@ -0,0 +1,33 @@ +PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter(a)adamantix.org&gt; +Released under the GNU Public Licence version 2 or later + +Mode: blackhat +Linux devbox 2.4.22-1-k7-sec #1 Mon Jan 26 02:12:39 CET 2004 i686 unknown + +Executable anonymous mapping : Killed +Executable bss : Killed +Executable data : Killed +Executable heap : Killed +Executable stack : Killed +Executable anonymous mapping (mprotect) : Killed +Executable bss (mprotect) : Killed +Executable data (mprotect) : Killed +Executable heap (mprotect) : Killed +Executable shared library bss (mprotect) : Killed +Executable shared library data (mprotect): Killed +Executable stack (mprotect) : Killed +Anonymous mapping randomisation test : 16 bits (guessed) +Heap randomisation test (ET_EXEC) : 25 bits (guessed) +Heap randomisation test (ET_DYN) : 25 bits (guessed) +Main executable randomisation (ET_EXEC) : No randomisation +Main executable randomisation (ET_DYN) : 17 bits (guessed) +Shared library randomisation test : 16 bits (guessed) +Stack randomisation test (SEGMEXEC) : 23 bits (guessed) +Stack randomisation test (PAGEEXEC) : 24 bits (guessed) +Return to function (strcpy) : Vulnerable +Return to function (strcpy, RANDEXEC) : Vulnerable +Return to function (memcpy) : Vulnerable +Return to function (memcpy, RANDEXEC) : Vulnerable +Executable shared library bss : Killed +Executable shared library data : Killed +Writable text segments : Killed diff --git a/default/paxtest/results/Adamantix.kiddie b/default/paxtest/results/Adamantix.kiddie new file mode 100644 index 0000000..4507023 --- /dev/null +++ b/default/paxtest/results/Adamantix.kiddie @@ -0,0 +1,33 @@ +PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter(a)adamantix.org&gt; +Released under the GNU Public Licence version 2 or later + +Mode: kiddie +Linux devbox 2.4.22-1-k7-sec #1 Mon Jan 26 02:12:39 CET 2004 i686 unknown + +Executable anonymous mapping : Killed +Executable bss : Killed +Executable data : Killed +Executable heap : Killed +Executable stack : Killed +Executable anonymous mapping (mprotect) : Killed +Executable bss (mprotect) : Killed +Executable data (mprotect) : Killed +Executable heap (mprotect) : Killed +Executable shared library bss (mprotect) : Killed +Executable shared library data (mprotect): Killed +Executable stack (mprotect) : Killed +Anonymous mapping randomisation test : 16 bits (guessed) +Heap randomisation test (ET_EXEC) : 25 bits (guessed) +Heap randomisation test (ET_DYN) : 25 bits (guessed) +Main executable randomisation (ET_EXEC) : No randomisation +Main executable randomisation (ET_DYN) : 17 bits (guessed) +Shared library randomisation test : 16 bits (guessed) +Stack randomisation test (SEGMEXEC) : 23 bits (guessed) +Stack randomisation test (PAGEEXEC) : 24 bits (guessed) +Return to function (strcpy) : Vulnerable +Return to function (strcpy, RANDEXEC) : Vulnerable +Return to function (memcpy) : Vulnerable +Return to function (memcpy, RANDEXEC) : Vulnerable +Executable shared library bss : Killed +Executable shared library data : Killed +Writable text segments : Killed diff --git a/default/paxtest/results/Gentoo.blackhat b/default/paxtest/results/Gentoo.blackhat new file mode 100644 index 0000000..98a01a9 --- /dev/null +++ b/default/paxtest/results/Gentoo.blackhat @@ -0,0 +1,33 @@ +PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter(a)adamantix.org&gt; +Released under the GNU Public Licence version 2 or later + +Mode: blackhat +Linux simple 2.4.24-grsec-1.9.13 #3 Wed Jan 14 00:48:25 EST 2004 i686 Intel(R) Pentium(R) 4 CPU 1400MHz GenuineIntel GNU/Linux + +Executable anonymous mapping : Killed +Executable bss : Killed +Executable data : Killed +Executable heap : Killed +Executable stack : Killed +Executable anonymous mapping (mprotect) : Killed +Executable bss (mprotect) : Killed +Executable data (mprotect) : Killed +Executable heap (mprotect) : Killed +Executable stack (mprotect) : Killed +Executable shared library bss (mprotect) : Killed +Executable shared library data (mprotect): Killed +Writable text segments : Killed +Anonymous mapping randomisation test : 16 bits (guessed) +Heap randomisation test (ET_EXEC) : 13 bits (guessed) +Heap randomisation test (ET_DYN) : 25 bits (guessed) +Main executable randomisation (ET_EXEC) : 16 bits (guessed) +Main executable randomisation (ET_DYN) : 17 bits (guessed) +Shared library randomisation test : 16 bits (guessed) +Stack randomisation test (SEGMEXEC) : 23 bits (guessed) +Stack randomisation test (PAGEEXEC) : 24 bits (guessed) +Return to function (strcpy) : Vulnerable +Return to function (memcpy) : Vulnerable +Return to function (strcpy, RANDEXEC) : Killed +Return to function (memcpy, RANDEXEC) : Killed +Executable shared library bss : Killed +Executable shared library data : Killed diff --git a/default/paxtest/results/Results.README b/default/paxtest/results/Results.README new file mode 100644 index 0000000..761cd87 --- /dev/null +++ b/default/paxtest/results/Results.README @@ -0,0 +1,10 @@ +The Adamantix paxtest results are generated by running paxtest on a default +kernel configuration. The Adamantix default configuration does not enable +randomisation of normal executables (the so called ET_EXEC files), because +it costs performance and there are only a few executables of this type anyway. + +The Gentoo results show what is possible when a kernel is configured by hand +and all PaX features are enabled (there is no default kernel configuration in +Gentoo, or so the Gentoo developers say). It includes ET_EXEC randomisation, +which also prevents certain return to function attacks. + diff --git a/default/paxtest/rettofunc1.c b/default/paxtest/rettofunc1.c new file mode 100644 index 0000000..de2df25 --- /dev/null +++ b/default/paxtest/rettofunc1.c @@ -0,0 +1,31 @@ +/* rettofunc1.c - Tests whether return to function exploits work or not. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include "body.h" + +const char testname[] = "Return to function (strcpy) "; + +fptr overflow[32] = { + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, NULL +}; + +void doit( void ) +{ + char buf[4]; + + if (strlen((const char *)overflow) > sizeof(overflow[0])) { + strcpy( buf, (const char *)overflow ); + } else { + fprintf( stderr, "paxtest: return address contains a NULL byte.\n" ); + exit(1); + } +} diff --git a/default/paxtest/rettofunc1x.c b/default/paxtest/rettofunc1x.c new file mode 100644 index 0000000..e478d28 --- /dev/null +++ b/default/paxtest/rettofunc1x.c @@ -0,0 +1,31 @@ +/* rettofunc1.c - Tests whether return to function exploits work or not. + * + * Copyright (c)2003,2004 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include "body.h" + +const char testname[] = "Return to function (strcpy, PIE) "; + +fptr overflow[32] = { + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, NULL +}; + +void doit( void ) +{ + char buf[4]; + + if (strlen((const char *)overflow) > sizeof(overflow[0])) { + strcpy( buf, (const char *)overflow ); + } else { + fprintf( stderr, "paxtest: return address contains a NULL byte.\n" ); + exit(1); + } +} diff --git a/default/paxtest/rettofunc2.c b/default/paxtest/rettofunc2.c new file mode 100644 index 0000000..797956d --- /dev/null +++ b/default/paxtest/rettofunc2.c @@ -0,0 +1,25 @@ +/* rettofunc2.c - Tests whether return to function exploits using memcpy() work + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include "body.h" + +const char testname[] = "Return to function (memcpy) "; + +fptr overflow[32] = { + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked +}; + +void doit( void ) +{ + char buf[4]; + + memcpy( buf, overflow, sizeof( overflow ) ); +} diff --git a/default/paxtest/rettofunc2x.c b/default/paxtest/rettofunc2x.c new file mode 100644 index 0000000..17af284 --- /dev/null +++ b/default/paxtest/rettofunc2x.c @@ -0,0 +1,25 @@ +/* rettofunc2.c - Tests whether return to function exploits using memcpy() work + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include "body.h" + +const char testname[] = "Return to function (memcpy, PIE) "; + +fptr overflow[32] = { + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked, + itworked, itworked, itworked, itworked, itworked, itworked, itworked, itworked +}; + +void doit( void ) +{ + char buf[4]; + + memcpy( buf, overflow, sizeof( overflow ) ); +} diff --git a/default/paxtest/runtest.sh b/default/paxtest/runtest.sh new file mode 100755 index 0000000..0014e78 --- /dev/null +++ b/default/paxtest/runtest.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Build. +make linux >/dev/null 2>/dev/null +if [ ! -f ./paxtest ]; then + echo "Something went wrong during paxtest build." + exit -1 +fi + +# Run tests +./paxtest blackhat > results.txt + +# Parse results +## TODO + + +# Clean up. +rm -f core.* + +rm -f results.txt diff --git a/default/paxtest/shellcode.h b/default/paxtest/shellcode.h new file mode 100644 index 0000000..069a0f7 --- /dev/null +++ b/default/paxtest/shellcode.h @@ -0,0 +1,37 @@ +#include <unistd.h> +#include <string.h> + +#define MAX_SHELLCODE_LEN 12 + +#if defined(__powerpc__) +#define SHELLCODE_RETURN_ARRAY { '\x4e', '\x80', '\x00', '\x20' } +#define SHELLCODE_RETURN "\x4e\x80\x00\x20" +#define SIZE_OF_SHELLCODE_RETURN 4 +#elif defined(__sparc__) && !defined(__arch64__) +#define SHELLCODE_RETURN_ARRAY { '\x81', '\xc7', '\xe0', '\x08', '\x81', '\xe8' ,'\x00', '\x00' } +#define SHELLCODE_RETURN "\x81\xc7\xe0\x08\x81\xe8\x00\x00" +#define SIZE_OF_SHELLCODE_RETURN 8 +#elif defined(__sparc__) && defined(__arch64__) +#define SHELLCODE_RETURN_ARRAY { '\x9d', '\xe3', '\xbf', '\x40', '\x81', '\xcf', '\xe0', '\x08', '\x01', '\x00', '\x00', '\x00' } +#define SHELLCODE_RETURN "\x9d\xe3\xbf\x40\x81\xcf\xe0\x08\x01\x00\x00\x00" +#define SIZE_OF_SHELLCODE_RETURN 12 +#else +#define SHELLCODE_RETURN_ARRAY { '\xc3' } +#define SHELLCODE_RETURN "\xc3" +#define SIZE_OF_SHELLCODE_RETURN 1 +#endif + +#if defined(__powerpc64__) +static inline void copy_shellcode(char *dest, char *src) +{ + /* 12 bytes total */ + unsigned long dstaddr = (unsigned long)dest + sizeof(dstaddr); + memcpy(dest, &dstaddr, sizeof(dstaddr)); + memcpy(dest + sizeof(dstaddr), src, SIZE_OF_SHELLCODE_RETURN); +} +#else +static inline void copy_shellcode(char *dest, char *src) +{ + memcpy(dest, src, SIZE_OF_SHELLCODE_RETURN); +} +#endif diff --git a/default/paxtest/shlibbss.c b/default/paxtest/shlibbss.c new file mode 100644 index 0000000..8fd2a52 --- /dev/null +++ b/default/paxtest/shlibbss.c @@ -0,0 +1,63 @@ +/* shlibbss.c - Tests whether code in the .bss segment of a shared library can + * be executed + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <dlfcn.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable shared library bss "; + +void doit( void ) +{ + char *shbss; + char *shbss2; + fptr func; + void *handle1, *handle2; + + handle1 = dlopen( "shlibtest.so", RTLD_LAZY ); + if( handle1 == NULL ) { + fprintf( stderr, "dlopen() returned NULL\n" ); + exit( 1 ); + } + dlerror(); /* clear any errors */ + shbss = dlsym( handle1, "shbss" ); + if( dlerror() != NULL ) { + fprintf( stderr, "symbol %s not found in %s\n", "shbss", "shlibtest.so" ); + exit( 1 ); + } + + handle2 = dlopen( "shlibtest2.so", RTLD_LAZY ); + if( handle2 == NULL ) { + fprintf( stderr, "dlopen() returned NULL\n" ); + exit( 1 ); + } + dlerror(); /* clear any errors */ + shbss2 = dlsym( handle2, "shbss2" ); + if( dlerror() != NULL ) { + fprintf( stderr, "symbol %s not found in %s\n", "shbss2", "shlibtest2.so" ); + exit( 1 ); + } + + copy_shellcode(shbss, SHELLCODE_RETURN); + copy_shellcode(shbss2, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = shbss < shbss2 ? (fptr)shbss : (fptr)shbss2; + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); + + dlclose( handle1 ); + dlclose( handle2 ); +} diff --git a/default/paxtest/shlibdata.c b/default/paxtest/shlibdata.c new file mode 100644 index 0000000..2e070a6 --- /dev/null +++ b/default/paxtest/shlibdata.c @@ -0,0 +1,63 @@ +/* shlibdata.c - Tests whether code in the .data segment of a shared library can + * be executed + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <dlfcn.h> +#include "body.h" +#include "shellcode.h" + +const char testname[] = "Executable shared library data "; + + +void doit( void ) +{ + fptr func; + char *shdata, *shdata2; + void *handle1, *handle2; + + handle1 = dlopen( "shlibtest.so", RTLD_LAZY ); + if( handle1 == NULL ) { + fprintf( stderr, "dlopen() returned NULL\n" ); + exit( 1 ); + } + dlerror(); /* clear any errors */ + shdata = dlsym( handle1, "shdata" ); + if( dlerror() != NULL ) { + fprintf( stderr, "symbol %s not found in %s\n", "shdata", "shlibtest.so" ); + exit( 1 ); + } + + handle2 = dlopen( "shlibtest2.so", RTLD_LAZY ); + if( handle2 == NULL ) { + fprintf( stderr, "dlopen() returned NULL\n" ); + exit( 1 ); + } + dlerror(); /* clear any errors */ + shdata2 = dlsym( handle2, "shdata2" ); + if( dlerror() != NULL ) { + fprintf( stderr, "symbol %s not found in %s\n", "shdata2", "shlibtest2.so" ); + exit( 1 ); + } + + copy_shellcode(shdata, SHELLCODE_RETURN); + copy_shellcode(shdata2, SHELLCODE_RETURN); + + /* Convert the pointer to a function pointer */ + func = shdata < shdata2 ? (fptr)shdata : (fptr)shdata2; + + /* Call the code in the buffer */ + func(); + + /* It worked when the function returns */ + itworked(); + + dlclose( handle1 ); + dlclose( handle2 ); +} diff --git a/default/paxtest/shlibtest.c b/default/paxtest/shlibtest.c new file mode 100644 index 0000000..c61572e --- /dev/null +++ b/default/paxtest/shlibtest.c @@ -0,0 +1,16 @@ +/* shlibtest.c - Shared library used by the shared library tests. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ +#include "shellcode.h" + +char shbss[4096]; + +char shdata[4096] = SHELLCODE_RETURN_ARRAY; + +/* A function which does nothing, it only exists so it can be referenced */ +int shlibtest( void ) +{ + return 1; +} diff --git a/default/paxtest/shlibtest2.c b/default/paxtest/shlibtest2.c new file mode 100644 index 0000000..111ea05 --- /dev/null +++ b/default/paxtest/shlibtest2.c @@ -0,0 +1,17 @@ +/* shlibtest2.c - Shared library used by the shared library tests. + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include "shellcode.h" + +char shbss2[4096]; + +char shdata2[4096] = SHELLCODE_RETURN_ARRAY; + +/* A function which does nothing, it only exists so it can be referenced */ +int shlibtest2( void ) +{ + return 1; +} diff --git a/default/paxtest/targets b/default/paxtest/targets new file mode 100644 index 0000000..db9097b --- /dev/null +++ b/default/paxtest/targets @@ -0,0 +1,10 @@ +Choose one of the following make targets: + +linux Linux (gcc default) +linux32 32bit Linux +linux64 64bit Linux + +openbsd OpenBSD + +clean Clean up + diff --git a/default/paxtest/writetext.c b/default/paxtest/writetext.c new file mode 100644 index 0000000..59bc97f --- /dev/null +++ b/default/paxtest/writetext.c @@ -0,0 +1,56 @@ +/* writetext.c - Test whether a .text sections can be written + * + * Copyright (c)2003 by Peter Busser <peter(a)adamantix.org&gt; + * This file has been released under the GNU Public Licence version 2 or later + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <signal.h> +#include <sys/mman.h> +#include "body.h" + +const char testname[] = "Writable text segments "; + +extern int shlibtest( void ); + +static void sigsegv( int sig ) +{ + printf( "Killed\n" ); + exit( 1 ); +} + +void doit( void ) +{ + volatile char *buf; + char c; + + buf = (char*)shlibtest; + + signal( SIGSEGV, sigsegv ); + + /* Try to make the text writable first by using mprotect + * + * Some people like to disable this call to make the results look + * better for their system. + * + * The purpose of the mprotect() here is to *really* try to write to + * that piece of executable memory. If you want to know whether a box + * can be opened or not, you try to pull it open. Just looking at it, + * seeing that it is closed, and therefore concluding that it cannot + * be opened is rather lame. + * + * But then, it is of course easier to get good paxtest results by + * disabling this mprotect than to fix your kernel code and userland. + */ + do_mprotect( buf, 4096, PROT_READ|PROT_WRITE|PROT_EXEC ); + + /* Try to write something */ + /* gcc 4.5 optimized this out if buf wasn't volatile */ + *buf = 'X'; + + /* It worked when the function returns */ + itworked(); +} -- To stop receiving notification emails like this one, please contact the administrator of this repository.