Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Beating memory address randomization (secuirty) features in Unix/Linux

Re: Beating memory address randomization (secuirty) features in Unix/Linux

From: sean <infamous41md_at_hotpop.com>
Date: Fri, 31 Mar 2006 20:35:37 -0500

I believe they're talking about distros WITH RANDOMIZATION IE PAX enabled.

On Fri, 31 Mar 2006 15:01:08 -0700
Don Bailey <don.bailey_at_gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > think deeper , all the distros with randomization I have seen ; also
> > have null byte in ret to libc addresses , so that wont work here .
> >
>
> Erm, what "distros" are you talking about? I run the latest
> Gentoo on sparc64, pa-risc and ppc and none of them
> have a nil byte in libc addresses. Besides, that doesn't
> always matter.
>
> Think deeper, you're not always working with strings.
>
> Below are some pastes of functionality on different
> architectures. Notice the only one that actually shows
> nil bytes is sparc64, but you wont have to worry about
> that because you're not going to jump to the first 255
> bytes.
>
> Don "north" Bailey
>
> Here's SuSE on x86
>
> givingtree.north % ./showstack
> &buffer[0]=bf9947b7
> givingtree.north % ./showstack
> &buffer[0]=bff50067
> givingtree.north % ldd ./showstack
> linux-gate.so.1 => (0xffffe000)
> libc.so.6 => /lib/tls/libc.so.6 (0xb7e39000)
> /lib/ld-linux.so.2 (0xb7f59000)
> givingtree.north % uname -mr
> 2.6.16-rc6-givingtree i686
> givingtree.north %
>
>
> Here's Gentoo on PA-RISC
>
> visualize.north % ./showstack
> &buffer[0]=faf2c5c8
> visualize.north % ./showstack
> &buffer[0]=fb16a5c8
> visualize.north % ldd showstack
> libc.so.6 => /lib/libc.so.6 (0x406ad000)
> /lib/ld.so.1 => /lib/ld.so.1 (0x4037d000)
> visualize.north % uname -mr
> 2.6.16-rc5-visualize parisc
> visualize.north %
>
>
> Here's Gentoo on sparcv9
>
> blueberry.snow % ./showstack
> &buffer[0]=ef80d997
> blueberry.snow % ./showstack
> &buffer[0]=efeed997
> blueberry.snow % ldd showstack
> libc.so.6 => /lib/libc.so.6 (0x70030000)
> /lib/ld-linux.so.2 (0x70000000)
> blueberry.snow % uname -mr
> 2.6.16.1-blueberry sparc64
> blueberry.snow %
>
>
>
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.5 (Build 5050)
>
> iQA/AwUBRC2mpV/Ie1ANMtLuEQKRCgCg0xBuYb2UX66el7eKeA3LDNhsXGoAn32k
> HVnpOIYhjgAzCzoDeSd7V5G/
> =o9Xn
> -----END PGP SIGNATURE-----
> 

-- 
[ sean ]
[ pgp key id: 0x421C8CD9 ]
[ The advantage of a bad memory is that one enjoys several ]
[ times the same good things for the first time. ]
Received on Apr 03 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos