Vulnerability Development mailing list archives
Re: Beating memory address randomization (secuirty) features in Unix/Linux
From: c0d3r () ihsteam com
Date: Sat, 1 Apr 2006 02:05:41 +0430 (IRDT)
think deeper , all the distros with randomization I have seen ; also have null byte in ret to libc addresses , so that wont work here . c0d3r of IHS Network Security Researcher
As you can see linux-gate.so.1 is linked on stack program and its address isn't randomized. In this range address there is a lot of instructions mainly JMP *%ESP which can be used to points to stack and execute arbitraty code.Bothering with the stack is a bore and doesn't always work depending on the architecture. Easier to just return to libc since even if the stack base isn't randomized (as it often is, lately) we don't have to care with finding it. Libc does everything you'd need to secure control of your target, anyway. I pretty much stick with return-to-libc for local exploits simply because it's often more consistent relative to results. Your shell (environment variables, etc) plus other environmental issues will skew stack addresses slightly enough to make exploitation a little bother. However, libc always maps to the same place. Then you really only have to worry about the version you're using. Don "north" Bailey
Current thread:
- Re: Beating memory address randomization (secuirty) features in Unix/Linux c0d3r (Mar 31)