Being a paranoid security guy, I do manually look at logs from time to time. Recently, I was looking at /var/log/messages. I noticed a lot of segfaults. I’m running nmap against several class Bs for a big engagement. But two interesting things, nmap segfaulted — more on that in a later post, and it was randomly in my log.
Jan 25 14:16:12 eru kernel: nmap[14831]: segfault at 00000000 eip 0808b1e3 esp b
fdc9e00 error 4
I thought that maybe nmap exception handling called syslog and was graceful enough to crash with a message. An hour of grepping and I couldn’t find it. Next, I thought, well maybe they’re using the libpcap drivers to write out the message inside a lkm. Well there is some of that, but my message wasn’t there. Frustrated, I wrote a simple program that would receive a buffer overflow.
[root@eru tmp]# less segfault.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>int main(int argc, char * argv[])
{char buf[10];
strcpy(buf, argv[1]);return 0;
}
So the test:
[root@eru tmp]# ./segfault AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault
[root@eru tmp]# Jan 27 10:24:50 eru kernel: segfault[26006]: segfault at 4141413d eip 08048459 esp 4141413d error 4
So yes, the kernel is catching exceptions and logging them. It’s awesome. Googling it seems like this feature was added around 07. I guess I’m slow, but most of my friends weren’t readily aware of it. Also, the instruction 4141413d requires a little investigation. It should be 41414141 (AAAA). I’m guessing the 3d is some sort of stack protection, but it’s been so long since I’ve done exploit dev in linux that I don’t recall exactly what’s going on. I’m very excited about this feature though. 