3

I followed this Buffer Overflow Exploit tutorial and wrote a small application to compile with gcc in my mingw32.exe. However, when I did, I got the following errors:

Liu.D.H@DESKTOP-KA8TQF4 MINGW32 ~
$ gcc vuln.c -o vuln -fno-stack-protector -m32 -z execstack
C:/msys32/mingw32/bin/../lib/gcc/i686-w64-mingw32/7.3.0/../../../../i686-w64-mingw32/bin/ld.exe: unrecognized option '-z'
C:/msys32/mingw32/bin/../lib/gcc/i686-w64-mingw32/7.3.0/../../../../i686-w64-mingw32/bin/ld.exe: use the --help option for usage information
collect2.exe: error: ld returned 1 exit status

Liu.D.H@DESKTOP-KA8TQF4 MINGW32 ~
$ gcc -c vuln.c -o vuln -fno-stack-protector -m32 -z execstack

Liu.D.H@DESKTOP-KA8TQF4 MINGW32 ~
$ ld -z execstack vuln.o -o vuln
C:\msys32\mingw32\bin\ld.exe: unrecognized option '-z'
C:\msys32\mingw32\bin\ld.exe: use the --help option for usage information

Liu.D.H@DESKTOP-KA8TQF4 MINGW32 ~
$ ld -v
GNU ld (GNU Binutils) 2.30

Liu.D.H@DESKTOP-KA8TQF4 MINGW32 ~
$ C:/msys32/mingw32/bin/../lib/gcc/i686-w64-mingw32/7.3.0/../../../../i686-w64-mingw32/bin/ld.exe -v
GNU ld (GNU Binutils) 2.30

Liu.D.H@DESKTOP-KA8TQF4 MINGW32 ~
$

I could find the execstack options in man ld and the version matched above.

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Donghua Liu
  • 1,776
  • 2
  • 21
  • 30
  • The code you linked to is for Linux, but it appears you are trying to use it on Windows ? – Paul R Mar 29 '19 at 13:54
  • @PaulR Yes, I compile the code with `msys2`, and it is Linux like environment, I can compile and run it without `-z execstack` option. – Donghua Liu Mar 29 '19 at 13:59

1 Answers1

1

The -z options are just not supported for Windows versions of ld. Check with ld --help. For Cygwin, it should not list -z options that are present when running the same command on a Linux system. I believe this is because options here are really only meaningful on Linux.

The -z execstack option (not the Linux tool of the same name) tells the Linux version of ld to turn off Data Execution Prevention (DEP) on the executable. This is done with flags in the ELF.

Windows DEP policy, on the other hand, is built into the OS nowadays. Here are some options to manage this yourself:

  • For individual programs on Windows 10:

    1. Look for "Adjust the appearance and performance of Windows" in the Start Menu. (You can type "performance" and it will appear). This gives you a new dialog box.
    2. Go to the third tab, "Data Execution Prevention".
    3. Add/remove exceptions here

  • Call the WinAPI's SetProcessDEPPolicy depending on the OS's DEP setting. However, this has to be done in the program itself.

  • Use bcdedit via CMD to globally turn on/off DEP, but this is a bad idea. To quote the article:

    Important DEP is a highly effective security feature that should not be disabled unless you have no alternative.

In short, when following tutorials for exploit exercises, often these are meant to be done on Linux machines. Run it on the proper OS, or for extra safety, run it on a VM. The same exploits can't be expected to work on Windows in the same way.

More on Windows DEP policy: See How to make my program DEP-compatible?

General Grievance
  • 4,555
  • 31
  • 31
  • 45
  • FYI: Re: "`-z` options are just not supported for Windows `gcc`/`ld`": then why `man ld` lists `-z` options? Confused. – pmor Nov 29 '22 at 09:18
  • @pmor I remember this confusing me too. However, I believe the explanation is that man.exe comes from the [man-db](https://www.cygwin.com/packages/summary/man-db.html) package. The help page states that it's "an implementation of the standard __Unix__ documentation system." In other words, there is no special manpage edited for Cygwin. Contrast this with the text you get from `ld --help` on both Windows and Linux. On Windows, you will notice that there is no `-z` listed, and on Linux `-z` and a bunch of keywords *will* be listed. – General Grievance Nov 29 '22 at 14:11