Vulnerability Development mailing list archives

Linux exploits and random post-argv/ envp injection

From: Inventor UCL <digiwind () hotmail com>
Date: 11 Mar 2004 05:06:27 -0000



Hi All,

I noticed something when playing around with exploits on linux and wanted to ask if anyone knows more about it.

When I run the same test program with the same envp/argv that just prints its esp, it outputs a different value 
everytime.

Looks like Linux's sys_exec() injects a random number of zeroes between the argv/envp and the stack frame for main(), 
i.e. stack:

+-----------------+ Higher addr (bfffff**)
| env             |
| argv            |
| <random zeroes> |
| ...             |
| main() sk frame |
| ...             |
+-----------------+ Lower addr (top of the stack)

Is anyone familiar with the rationale/code that does that on Linux? Clearly, it helps thwart overflows as the return 
address is fluctuating but I have not heard of this "feature" before.

I was wondering maybe someone knows about it. Looks like the variation is 0-ffff in the two LSB of the esp.

Thanks,
inv_

Current thread:

Linux exploits and random post-argv/ envp injection Inventor UCL (Mar 11)
- Re: Linux exploits and random post-argv/ envp injection Valdis . Kletnieks (Mar 14)
- Re: Linux exploits and random post-argv/ envp injection Gerardo Richarte (Mar 15)