Home page logo

Vulnerability Development mailing list archives

Re: Beating memory address randomization (secuirty) features in Unix/Linux
From: Don Bailey <don.bailey () gmail com>
Date: Fri, 31 Mar 2006 15:01:08 -0700

Hash: SHA1

think deeper , all the distros with randomization I have seen ; also 
have null byte in ret to libc addresses , so that wont work here .

Erm, what "distros" are you talking about? I run the latest
Gentoo on sparc64, pa-risc and ppc and none of them
have a nil byte in libc addresses. Besides, that doesn't
always matter.

Think deeper, you're not always working with strings.

Below are some pastes of functionality on different
architectures. Notice the only one that actually shows
nil bytes is sparc64, but you wont have to worry about
that because you're not going to jump to the first 255

Don "north" Bailey

Here's SuSE on x86

givingtree.north % ./showstack
givingtree.north % ./showstack
givingtree.north % ldd ./showstack
         linux-gate.so.1 =>  (0xffffe000)
         libc.so.6 => /lib/tls/libc.so.6 (0xb7e39000)
         /lib/ld-linux.so.2 (0xb7f59000)
givingtree.north % uname -mr
2.6.16-rc6-givingtree i686
givingtree.north %

Here's Gentoo on PA-RISC

visualize.north % ./showstack
visualize.north % ./showstack
visualize.north % ldd showstack
         libc.so.6 => /lib/libc.so.6 (0x406ad000)
         /lib/ld.so.1 => /lib/ld.so.1 (0x4037d000)
visualize.north % uname -mr
2.6.16-rc5-visualize parisc
visualize.north %

Here's Gentoo on sparcv9

blueberry.snow % ./showstack
blueberry.snow % ./showstack
blueberry.snow % ldd showstack
         libc.so.6 => /lib/libc.so.6 (0x70030000)
         /lib/ld-linux.so.2 (0x70000000)
blueberry.snow % uname -mr sparc64
blueberry.snow %

Version: PGP Desktop 9.0.5 (Build 5050)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]