Vulnerability Development mailing list archives
Re: Beating memory address randomization (secuirty) features in Unix/Linux
From: sean <infamous41md () hotpop com>
Date: Fri, 31 Mar 2006 20:35:37 -0500
I believe they're talking about distros WITH RANDOMIZATION IE PAX enabled. On Fri, 31 Mar 2006 15:01:08 -0700 Don Bailey <don.bailey () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1think deeper , all the distros with randomization I have seen ; also have null byte in ret to libc addresses , so that wont work here .Erm, what "distros" are you talking about? I run the latest Gentoo on sparc64, pa-risc and ppc and none of them have a nil byte in libc addresses. Besides, that doesn't always matter. Think deeper, you're not always working with strings. Below are some pastes of functionality on different architectures. Notice the only one that actually shows nil bytes is sparc64, but you wont have to worry about that because you're not going to jump to the first 255 bytes. Don "north" Bailey Here's SuSE on x86 givingtree.north % ./showstack &buffer[0]=bf9947b7 givingtree.north % ./showstack &buffer[0]=bff50067 givingtree.north % ldd ./showstack linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/tls/libc.so.6 (0xb7e39000) /lib/ld-linux.so.2 (0xb7f59000) givingtree.north % uname -mr 2.6.16-rc6-givingtree i686 givingtree.north % Here's Gentoo on PA-RISC visualize.north % ./showstack &buffer[0]=faf2c5c8 visualize.north % ./showstack &buffer[0]=fb16a5c8 visualize.north % ldd showstack libc.so.6 => /lib/libc.so.6 (0x406ad000) /lib/ld.so.1 => /lib/ld.so.1 (0x4037d000) visualize.north % uname -mr 2.6.16-rc5-visualize parisc visualize.north % Here's Gentoo on sparcv9 blueberry.snow % ./showstack &buffer[0]=ef80d997 blueberry.snow % ./showstack &buffer[0]=efeed997 blueberry.snow % ldd showstack libc.so.6 => /lib/libc.so.6 (0x70030000) /lib/ld-linux.so.2 (0x70000000) blueberry.snow % uname -mr 2.6.16.1-blueberry sparc64 blueberry.snow % -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.5 (Build 5050) iQA/AwUBRC2mpV/Ie1ANMtLuEQKRCgCg0xBuYb2UX66el7eKeA3LDNhsXGoAn32k HVnpOIYhjgAzCzoDeSd7V5G/ =o9Xn -----END PGP SIGNATURE-----
-- [ sean ] [ pgp key id: 0x421C8CD9 ] [ The advantage of a bad memory is that one enjoys several ] [ times the same good things for the first time. ]
Current thread:
- Re: Beating memory address randomization (secuirty) features in Unix/Linux sean (Apr 03)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Apr 03)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Mike Davis (Apr 03)
- <Possible follow-ups>
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Andrea Purificato - bunker (Apr 03)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Apr 03)