If you are stepping through one instruction at a time, and the segfault occurs immediately upon jumping (and not when hitting some potentially broken shellcode at the end of the NOP sled, which could also cause a segfault), and you are certain that the address is correct, points to valid memory and that your NOP sled itself isn't broken, then yes it seems plausible that the segfault is being caused by DEP.
However, the other things I list above are more likely in my opinion, and there are lots of other reasons why a segfault might pop up.
Just so we're certain you've got everything right in gdb;
You should have a breakpoint just before the return instruction you have corrupted. You can do this via the disas
and break
commands.
Once the program hits your breakpoint, you want to check the lay of the land. Check eip
with the info r
command. And have a look at your stack using things like x/40x $esp
. You should be able to see your nop sled, shellcode, and return address repeatedly afterwards. Another note that just came to mind; the return address has to be aligned properly, usually this means putting 1-3 nops after your shellcode to shove it into place.
If all looks well, then it's time to run a step
. If info r
now reports that eip
contains an address that is on your nop sled - check this with a x %eip
, you should see 0x90909090
. Then hit step
again. If at this point you get a segfault, then yes (to answer your original question :P) you have DEP turned on IMHO.
Sorry if that was all stuff you already knew, it's just vital to check everything several times when you're playing with memory exploits.