mailing list archives
Re: Beating memory address randomization (secuirty) features in Unix/Linux
From: c0d3r () ihsteam com
Date: Sat, 1 Apr 2006 02:05:41 +0430 (IRDT)
think deeper , all the distros with randomization I have seen ; also
have null byte in ret to libc addresses , so that wont work here .
c0d3r of IHS
Network Security Researcher
As you can see linux-gate.so.1 is linked on stack program and its
address isn't randomized.
In this range address there is a lot of instructions mainly JMP *%ESP
which can be used to points to stack and execute arbitraty code.
Bothering with the stack is a bore and doesn't always work
depending on the architecture. Easier to just return to libc
since even if the stack base isn't randomized (as it often is,
lately) we don't have to care with finding it. Libc does
everything you'd need to secure control of your target,
I pretty much stick with return-to-libc for local exploits
simply because it's often more consistent relative to
results. Your shell (environment variables, etc) plus
other environmental issues will skew stack addresses
slightly enough to make exploitation a little bother.
However, libc always maps to the same place. Then
you really only have to worry about the version you're
Don "north" Bailey
- Re: Beating memory address randomization (secuirty) features in Unix/Linux c0d3r (Mar 31)