Vulnerability Development mailing list archives
Linux exploits and random post-argv/ envp injection
From: Inventor UCL <digiwind () hotmail com>
Date: 11 Mar 2004 05:06:27 -0000
Hi All, I noticed something when playing around with exploits on linux and wanted to ask if anyone knows more about it. When I run the same test program with the same envp/argv that just prints its esp, it outputs a different value everytime. Looks like Linux's sys_exec() injects a random number of zeroes between the argv/envp and the stack frame for main(), i.e. stack: +-----------------+ Higher addr (bfffff**) | env | | argv | | <random zeroes> | | ... | | main() sk frame | | ... | +-----------------+ Lower addr (top of the stack) Is anyone familiar with the rationale/code that does that on Linux? Clearly, it helps thwart overflows as the return address is fluctuating but I have not heard of this "feature" before. I was wondering maybe someone knows about it. Looks like the variation is 0-ffff in the two LSB of the esp. Thanks, inv_
Current thread:
- Linux exploits and random post-argv/ envp injection Inventor UCL (Mar 11)
- Re: Linux exploits and random post-argv/ envp injection Valdis . Kletnieks (Mar 14)
- Re: Linux exploits and random post-argv/ envp injection Gerardo Richarte (Mar 15)