Vulnerability Development mailing list archives

Re: Beating memory address randomization (secuirty) features in Unix/Linux


From: Don Bailey <don.bailey () gmail com>
Date: Fri, 31 Mar 2006 11:45:47 -0700

As you can see linux-gate.so.1 is linked on stack program and its address isn't randomized.

In this range address there is a lot of instructions mainly JMP *%ESP which can be used to points to stack and execute arbitraty code.


Bothering with the stack is a bore and doesn't always work
depending on the architecture. Easier to just return to libc
since even if the stack base isn't randomized (as it often is,
lately) we don't have to care with finding it. Libc does
everything you'd need to secure control of your target,
anyway.

I pretty much stick with return-to-libc for local exploits
simply because it's often more consistent relative to
results. Your shell (environment variables, etc) plus
other environmental issues will skew stack addresses
slightly enough to make exploitation a little bother.
However, libc always maps to the same place. Then
you really only have to worry about the version you're
using.

Don "north" Bailey


Current thread: