Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Linux exploits and random post-argv/ envp injection

Linux exploits and random post-argv/ envp injection

From: Inventor UCL <digiwind_at_hotmail.com>
Date: 11 Mar 2004 05:06:27 -0000
('binary' encoding is not supported, stored as-is) Hi All,

I noticed something when playing around with exploits on linux and wanted to ask if anyone knows more about it.

When I run the same test program with the same envp/argv that just prints its esp, it outputs a different value everytime.

Looks like Linux's sys_exec() injects a random number of zeroes between the argv/envp and the stack frame for main(), i.e. stack:

+-----------------+ Higher addr (bfffff**)
| env |
| argv |
| <random zeroes> |
| ... |
| main() sk frame |
| ... |
+-----------------+ Lower addr (top of the stack)

Is anyone familiar with the rationale/code that does that on Linux? Clearly, it helps thwart overflows as the return address is fluctuating but I have not heard of this "feature" before.

I was wondering maybe someone knows about it. Looks like the variation is 0-ffff in the two LSB of the esp.

Thanks,
inv_
Received on Mar 11 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos