Full Disclosure mailing list archives
ASLR Question
From: Ben <comsatcat () earthlink net>
Date: Wed, 9 Jan 2008 11:51:37 -0700 (GMT-07:00)
I decided to poke around on my friend’s Fedora Core 6 system the other day and examine the exec-shield and ASLR mechanisms. So far the combination of exec-shield and library addresses having their most significant bit set to 0x00 has blocked me from developing useful exploitation techniques against the system (however I am researching x82’s technique of ret chaining). I have managed to find something interesting with ASLR protection. It seems that every so many executions, the same stack base address is reused, in sequence. This happens more often then not. I was wondering if this was a known with aslr (it looks entropy related).. on a vanilla 2.6.20 kernel with high load I was able to reuse the same stack address in sequence hundreds of times out of 1024 trys. I posted to my blog about it with all the details, so if you'd like you can take a look at http://www.socialnetworkwhore.com/index.php?blog=5&title=possible_technique_for_bypassing_aslr&more=1&c=1&tb=1&pb=1 Basically I would like to know if I'm on to something here or if this is normal behavior for linux aslr. Thanks in advance, Ben _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ASLR Question Ben (Jan 09)