Re: Linux exploits and random post-argv/ envp injection

[Gerardo Richarte <gera () corest com>]

Inventor UCL wrote:

> Hi All,
>
> I noticed something when playing around with exploits on linux and wanted to ask if anyone knows more about it.
>
> When I run the same test program with the same envp/argv that just prints its esp, it outputs a different value 
> everytime.

        On some linux (depends on kernel version and features), this is just a fact:
the stack address changes from process to process. It doesn't vary a lot (lets say around 1,2,3 or 4 pages (x4096 bytes). 
This doesn't have to do with any security patch (although this might be another reason, as Valdis Kletnieks) explained.
        As a friend explained to me, on some linux kernels they had some kind of problem when running on a multiprocessor boxes, and 
they "solved" it by randomizing stack addresses... that's pretty much what I know... I also know that when writing 
exploits, not only padding is unexpectedly added, but also the addresses can randomly change (the solution is absolutely different 
when the change is not the result of a security patch, mainly because the deltas are not so big).

        gera