3

I'm learning stack buffer overflow exploitation, and I later posted question Shellcode segmentation fault. about that executing shellcode from test program, or when injected to vulnerable program, causes segmentation violation. Now I found out that it might be caused by NX. When I search for this in dmesg I found this line:

[    0.000000] NX (Execute Disable) protection: active

So my question is how to disable NX bit on Linux. I'm using Kali Linux 64 bit with the 4.18.0 kernel.

asdfghj
  • 39
  • 1
  • 3
  • 2
    Did you try to use a search engine? There seem to be several useful hits when just searching for [linux disable NX](https://www.google.de/search?q=linux+disable+NX). – Steffen Ullrich Dec 15 '18 at 19:51
  • 1
    Yes, i've found nothing that worked. –  Dec 15 '18 at 19:56
  • 2
    Then you need to explain what you did and what happened, else we will direct you to things that you have already tried. – schroeder Dec 15 '18 at 21:08
  • Why not use some other Linux distro? This is looking more like a Linux config/kernel question than a security question. – schroeder Dec 15 '18 at 21:10
  • @schroeder You don't need to switch distros (and actually, there are really no distros that have NX disabled). However, disabling the mitigation is as simple as specifying a kernel parameter. – forest Dec 16 '18 at 04:05
  • @xoreaxeax you are running 32bits shellcode on a 64 bits machine? – Timothy Leung Dec 16 '18 at 04:09
  • @forest actually I was suggesting to use a distro that matches all the available instructions to disable NX – schroeder Dec 16 '18 at 08:56

1 Answers1

3

You can disable NX globally on Linux by booting with noexec=off in the kernel command line:

noexec      [X86]
            On X86-32 available only on PAE configured kernels.
            noexec=on: enable non-executable mappings (default)
            noexec=off: disable non-executable mappings

noexec32    [X86-64]
            This affects only 32-bit executables.
            noexec32=on: enable non-executable mappings (default)
                read doesn't imply executable mappings
            noexec32=off: disable non-executable mappings
                read implies executable mappings

You can also disable NX for a process by setting the READ_IMPLIES_EXEC execution domain either via personality(2) or, on older kernels, by enabling an executable stack via PT_GNU_STACK. This isn't true for modern kernels which no longer set that execution domain when the stack is executable.

Commit 12230611 changed the behavior so setting PT_GNU_STACK to executable no longer marks every page as executable, and commit 9fccc5c0 made it such that removing PT_GNU_STACK only set all pages executable on systems that completely lack NX support, or on the ia32 architecture.

forest
  • 1,344
  • 8
  • 19