Recently, I've been studying buffer overflows as an undergraduate student in Computer Engineering. Simply out of interest, I began researching and studying buffer overflows, but have gotten stuck when attempting to implement them in my own C programs on my computer, compiled with GCC 4.9.1 (in Debian Jessie).
I've heard that there are sorts of stack overflow protection in newer compilers, so I'm thinking that my issue is that my compiler version is too new. Either that, or I'm not compiling with the correct flags (none).
So are there good versions of GCC for me to obtain to test buffer overflows? Or should I use a particular flag to prevent stack protection and canaries?
Thank you for your time.
Use -zexecstack -fno-stack-protector to disable stack frame protection and non-executable stack with gcc.
On your Linux system, you also have to disable address randomization (ASLR) using:
echo 0 > /proc/sys/kernel/randomize_va_space
Use -fno-stack-protector option in gcc to disable stack smashing protection.
Most recent versions of GCC (>= 4.8) have included AddressSanitizer, by -fsanitize=address option. From 4.8 Realease Notes:
AddressSanitizer , a fast memory error detector, has been added and can be enabled via
-fsanitize=address. Memory access instructions will be instrumented to detect heap-, stack-, and global-buffer overflow as well as use-after-free bugs. To get nicer stacktraces, use-fno-omit-frame-pointer. The AddressSanitizer is available on IA-32/x86-64/x32/PowerPC/PowerPC64 GNU/Linux and on x86-64 Darwin.
GCC 4.9 added its support on ARM platform.
来源:https://stackoverflow.com/questions/26245447/which-versions-of-gcc-or-flags-should-i-use-when-studying-buffer-overflows