Vulnerability Development mailing list archives
Re: Beating memory address randomization (secuirty) features in Unix/Linux
From: Don Bailey <don.bailey () gmail com>
Date: Fri, 31 Mar 2006 11:45:47 -0700
As you can see linux-gate.so.1 is linked on stack program and its address isn't randomized.In this range address there is a lot of instructions mainly JMP *%ESP which can be used to points to stack and execute arbitraty code.
Bothering with the stack is a bore and doesn't always work depending on the architecture. Easier to just return to libc since even if the stack base isn't randomized (as it often is, lately) we don't have to care with finding it. Libc does everything you'd need to secure control of your target, anyway. I pretty much stick with return-to-libc for local exploits simply because it's often more consistent relative to results. Your shell (environment variables, etc) plus other environmental issues will skew stack addresses slightly enough to make exploitation a little bother. However, libc always maps to the same place. Then you really only have to worry about the version you're using. Don "north" Bailey
Current thread:
- Beating memory address randomization (secuirty) features in Unix/Linux hd12787 (Mar 28)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Yves Younan (Mar 31)
- <Possible follow-ups>
- Re: Beating memory address randomization (secuirty) features in Unix/Linux xgc (Mar 31)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Mar 31)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux john (Mar 31)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Mar 31)