ASLR Question

[Ben <comsatcat () earthlink net>]

I decided to poke around on my friend’s Fedora Core 6 system the other day and examine the exec-shield and ASLR 
mechanisms. So far the combination of exec-shield and library addresses having their most significant bit set to 0x00 
has blocked me from developing useful exploitation techniques against the system (however I am researching x82’s 
technique of ret chaining). I have managed to find something interesting with ASLR protection. It seems that every so 
many executions, the same stack base address is reused, in sequence. This happens more often then not.

I was wondering if this was a known with aslr (it looks entropy related).. on a vanilla 2.6.20 kernel with high load I 
was able to reuse the same stack address in sequence hundreds of times out of 1024 trys.

I posted to my blog about it with all the details, so if you'd like you can take a look at 
http://www.socialnetworkwhore.com/index.php?blog=5&title=possible_technique_for_bypassing_aslr&more=1&c=1&tb=1&pb=1

Basically I would like to know if I'm on to something here or if this is normal behavior for linux aslr.

Thanks in advance,
Ben

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/