Re: bypassing randomized stack using linux-gate.so.1

[Jack C <list-recv () crepinc com>]

You can't JMP to liux-gate.so on Fedora: It's ASCII Shielded.

linux-gate.so.1 =>  (0x00111000)

The first byte is 0x00, or a null char. It's next to impossible to get a 
NULL as the first byte of the ESP.

Have fun,

-Jack Carrozzo
jack _[@]_ crepinc.com

Pravin wrote:
> Hi,
> I was working with bypassing randomized stack using "linux-gate.so.1"
> I am using Fedora Core 5 and problem with it is that location of
> linux-gate.so.1 is not fixed.
> But other libraries are having fixed location ( like libc.so.6 and
> ld-linux.so.2 )
>
> I changed the value of "/proc/sys/kernel/randomize_va_space" to 0 and 
> tested.
> But still it was of no use for me.
> Simillarly I changed the value of "/proc/sys/kernel/exec_shield" to 0
> and tested,
> but even that didn't helped :-(
>
> I have given bellow, output of two consecutive ldd executions.
>
> $ ldd vulerable02
> linux-gate.so.1 =>  (0x00111000)
> libc.so.6 => /lib/libc.so.6 (0x00bb0000)
> /lib/ld-linux.so.2 (0x00b8f000)
>
> $ ldd vulerable02
> linux-gate.so.1 =>  (0x00d47000)
> libc.so.6 => /lib/libc.so.6 (0x00bb0000)
> /lib/ld-linux.so.2 (0x00b8f000)
>
> I know that I can use other libraries to get fix physical addresss of
> "JMP *%ESP"
> or "CALL 8%ESP", but I want to know why is it happening like this?
>
> I tried googling, bt didn't got much.
> Linux-gate.so.1 is supposed to have same address space
> (that is 0xffffe000 ) in all  processes. (as per
> http://www.trilithium.com/johan/2005/08/linux-gate/)
>
> Can someone please help me by explaining me why is it happening like 
> this?
>
> I was refering links like
> "http://milw0rm.org/papers/55";
> "http://rawlab.mindcreations.com/codes/exp/randstack/exp_call_rand.pl";
>
> Thank you.