{"id":33,"date":"2011-09-24T01:42:00","date_gmt":"2011-09-23T16:42:00","guid":{"rendered":"http:\/\/yokensaka.com\/centos\/?p=33"},"modified":"2014-07-19T20:18:21","modified_gmt":"2014-07-19T11:18:21","slug":"%e3%83%90%e3%83%83%e3%83%95%e3%82%a1%e3%83%bb%e3%82%aa%e3%83%bc%e3%83%91%e3%83%bc%e3%83%95%e3%83%ad%e3%83%bc%e5%af%be%e7%ad%96%ef%bc%88exec-shield","status":"publish","type":"post","link":"http:\/\/yokensaka.com\/centos\/?p=33","title":{"rendered":"\u30d0\u30c3\u30d5\u30a1\u30fb\u30aa\u30fc\u30d1\u30fc\u30d5\u30ed\u30fc\u5bfe\u7b56\uff08Exec-Shield)"},"content":{"rendered":"<p>Exec-Shield\u3092\u6709\u52b9\u306b\u3057\u3066\u3001\u30d0\u30c3\u30d5\u30a1\u30fb\u30aa\u30fc\u30d1\u30fc\u30d5\u30ed\u30fc\u653b\u6483\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b\u3002<br \/>\n<b>\u25a0 Exec-Shield\u306e\u8a2d\u5b9a<\/b><\/p>\n<pre>\r\n\u73fe\u72b6\u78ba\u8a8d\r\n[root@server1 ~]# cat \/proc\/sys\/kernel\/exec-shield\r\n1\r\nExec-Shield\u3092\u6709\u52b9\u306b\u3059\u308b\u3002\r\n[root@server1 ~]# echo 2 &gt; \/proc\/sys\/kernel\/exec-shield\r\n\u518d\u78ba\u8a8d\r\n[root@server1 ~]# cat \/proc\/sys\/kernel\/exec-shield\r\n2\r\n\u8d77\u52d5\u6642\u306b\u3001\u6709\u52b9\u306b\u3059\u308b\u3002\r\n[root@server1 ~]# vi \/etc\/rc.d\/rc.local\r\necho 2 &gt; \/proc\/sys\/kernel\/exec-shield\u3000\u3000\u3000\u3000\u2190 \u8ffd\u52a0\r\n<\/pre>\n<p><b>\u25a0 Exec-Shield\u306e\u52d5\u4f5c\u78ba\u8a8d<\/b><\/p>\n<pre>\r\n[root@server1 ~]# wget http:\/\/pubs.research.avayalabs.com\/src\/libsafe-2.0-16.i386.rpm\r\n--2011-09-19 19:34:28--  http:\/\/pubs.research.avayalabs.com\/src\/libsafe-2.0-16.i386.rpm\r\npubs.research.avayalabs.com \u3092DNS\u306b\u554f\u3044\u3042\u308f\u305b\u3066\u3044\u307e\u3059... 198.152.240.29\r\npubs.research.avayalabs.com|198.152.240.29|:80 \u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3059... \u63a5\u7d9a\u3057\u307e\u3057\u305f\u3002\r\nHTTP \u306b\u3088\u308b\u63a5\u7d9a\u8981\u6c42\u3092\u9001\u4fe1\u3057\u307e\u3057\u305f\u3001\u5fdc\u7b54\u3092\u5f85\u3063\u3066\u3044\u307e\u3059... 200 OK\r\n\u9577\u3055: 374371 (366K) [text\/plain]\r\n`libsafe-2.0-16.i386.rpm' \u306b\u4fdd\u5b58\u4e2d\r\n100%[=========================================================================&gt;] 374,371     81.8K\/s \u6642\u9593 4.8s\r\n2011-09-19 19:34:33 (76.5 KB\/s) - `libsafe-2.0-16.i386.rpm' \u3078\u4fdd\u5b58\u5b8c\u4e86 [374371\/374371]\r\n[root@server1 ~]# rpm -ivh libsafe-2.0-16.i386.rpm  \u2190\u3000libsafe\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\r\n\u6e96\u5099\u4e2d...                   ########################################### [100%]\r\n1:libsafe                ########################################### [100%]\r\nAdding libsafe to ld.so.preload for system wide protection\r\n[root@server1 ~]# cp \/usr\/doc\/libsafe-2.0\/exploits\/t1 .\/  \u2190\u3000\u653b\u6483\u30c4\u30fc\u30eb\u3092\u30b3\u30d4\u30fc\r\n[root@server1 ~]# rpm -e libsafe  \u2190\u3000libsafe\u306e\u30a2\u30f3\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\r\nRemoving libsafe from \/etc\/ld.so.preload (if exists)\r\n[root@server1 ~]# .\/t1  \u2190\u3000\u653b\u6483\u30c4\u30fc\u30eb\u306e\u5b9f\u884c\r\nThis program tries to use strcpy() to overflow the buffer.\r\nIf you get a \/bin\/sh prompt, then the exploit has worked.\r\nPress any key to continue...abc;  \u2190\u3000\u9069\u5f53\u306b\u5165\u529b\r\n\u30bb\u30b0\u30e1\u30f3\u30c6\u30fc\u30b7\u30e7\u30f3\u9055\u53cd\u3067\u3059 (\u30b3\u30a2\u30c0\u30f3\u30d7)  \u2190\u3000\u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u304c\u30d6\u30ed\u30c3\u30af\u3055\u308c\u305f\r\n[root@server1 ~]# rm .\/t1  \u2190\u3000\u653b\u6483\u30c4\u30fc\u30eb\u3092\u524a\u9664\r\nrm: remove \u901a\u5e38\u30d5\u30a1\u30a4\u30eb `.\/t1'? y \u3000\u2190\u3000y\u3068\u5165\u529b\u3057\u3066\u653b\u6483\u30c4\u30fc\u30eb\u3092\u524a\u9664\r\n<\/pre>\n<div align=right><a href=\"#\">\u25b2 \u30da\u30fc\u30b8\u30c8\u30c3\u30d7\u3078<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Exec-Shield\u3092\u6709\u52b9\u306b\u3057\u3066\u3001\u30d0\u30c3\u30d5\u30a1\u30fb\u30aa\u30fc\u30d1\u30fc\u30d5\u30ed\u30fc\u653b\u6483\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b\u3002 &hellip; <a href=\"http:\/\/yokensaka.com\/centos\/?p=33\">\u7d9a\u304d\u3092\u8aad\u3080 <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[],"class_list":["post-33","post","type-post","status-publish","format-standard","hentry","category-14"],"_links":{"self":[{"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/posts\/33","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=33"}],"version-history":[{"count":1,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/posts\/33\/revisions"}],"predecessor-version":[{"id":241,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/posts\/33\/revisions\/241"}],"wp:attachment":[{"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=33"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=33"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=33"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}