Exec-Shield¤òÍ­¸ú¤Ë¤·¤Æ¡¢¥Ð¥Ã¥Õ¥¡¡¦¥ª¡¼¥Ñ¡¼¥Õ¥í¡¼¹¶·â¤ò¥Ö¥í¥Ã¥¯¤¹¤ë¡£

¢£ Exec-Shield¤ÎÀßÄê

¸½¾õ³Îǧ
[root@server ~]# cat /proc/sys/kernel/exec-shield
1

Exec-Shield¤òÍ­¸ú¤Ë¤¹¤ë¡£
[root@server ~]# echo 2 > /proc/sys/kernel/exec-shield

ºÆ³Îǧ
[root@server ~]# cat /proc/sys/kernel/exec-shield
2

µ¯Æ°»þ¤Ë¡¢Í­¸ú¤Ë¤¹¤ë¡£
[root@server ~]# vi /etc/rc.d/rc.local

echo 2 > /proc/sys/kernel/exec-shield¡¡¡¡¡¡¡¡¢« ÄɲÃ

¢£ Exec-Shield¤ÎÆ°ºî³Îǧ

[root@server ~]# wget http://pubs.research.avayalabs.com/src/libsafe-2.0-16.i386.rpm
--20:09:05--  http://pubs.research.avayalabs.com/src/libsafe-2.0-16.i386.rpm
           => `libsafe-2.0-16.i386.rpm'
pubs.research.avayalabs.com ¤òDNS¤ËÌ䤤¤¢¤ï¤»¤Æ¤¤¤Þ¤¹... 198.152.240.29
pubs.research.avayalabs.com|198.152.240.29|:80 ¤ËÀܳ¤·¤Æ¤¤¤Þ¤¹... Àܳ¤·¤Þ¤·¤¿¡£
HTTP ¤Ë¤è¤ëÀܳÍ×µá¤òÁ÷¿®¤·¤Þ¤·¤¿¡¢±þÅú¤òÂԤäƤ¤¤Þ¤¹... 200 OK
Ťµ: 374,371 (366K) [text/plain]

100%[====================================>] 374,371      120.19K/s    ETA 00:00

20:09:09 (119.99 KB/s) - `libsafe-2.0-16.i386.rpm' ¤òÊݸ¤·¤Þ¤·¤¿ [374371/374371]

[root@server ~]# rpm -ivh libsafe-2.0-16.i386.rpm  ¢«¡¡libsafe¤Î¥¤¥ó¥¹¥È¡¼¥ë
½àÈ÷Ãæ...                   ########################################### [100%]
   1:libsafe                ########################################### [100%]
Adding libsafe to ld.so.preload for system wide protection

[root@server ~]# cp /usr/doc/libsafe-2.0/exploits/t1 ./  ¢«¡¡¹¶·â¥Ä¡¼¥ë¤ò¥³¥Ô¡¼

[root@server ~]# rpm -e libsafe  ¢«¡¡libsafe¤Î¥¢¥ó¥¤¥ó¥¹¥È¡¼¥ë
Removing libsafe from /etc/ld.so.preload (if exists)

[root@server ~]# ./t1  ¢«¡¡¹¶·â¥Ä¡¼¥ë¤Î¼Â¹Ô
This program tries to use strcpy() to overflow the buffer.
If you get a /bin/sh prompt, then the exploit has worked.
Press any key to continue...abc;  ¢«¡¡Å¬Åö¤ËÆþÎÏ
¥»¥°¥á¥ó¥Æ¡¼¥·¥ç¥ó°ãÈ¿¤Ç¤¹  ¢«¡¡¥Ð¥Ã¥Õ¥¡¥ª¡¼¥Ð¡¼¥Õ¥í¡¼¤¬¥Ö¥í¥Ã¥¯¤µ¤ì¤¿

[root@server ~]# rm ./t1  ¢«¡¡¹¶·â¥Ä¡¼¥ë¤òºï½ü
rm: remove Ä̾ï¥Õ¥¡¥¤¥ë `./t1'? y ¡¡¢«¡¡y¤ÈÆþÎϤ·¤Æ¹¶·â¥Ä¡¼¥ë¤òºï½ü