Hi,
I was working with bypassing randomized stack using "linux-gate.so.1"
I am using Fedora Core 5 and problem with it is that location of
linux-gate.so.1 is not fixed.
But other libraries are having fixed location ( like libc.so.6 and
ld-linux.so.2 )
I changed the value of "/proc/sys/kernel/randomize_va_space" to 0 and tested.
But still it was of no use for me.
Simillarly I changed the value of "/proc/sys/kernel/exec_shield" to 0
and tested,
but even that didn't helped :-(
I have given bellow, output of two consecutive ldd executions.
$ ldd vulerable02
linux-gate.so.1 => (0x00111000)
libc.so.6 => /lib/libc.so.6 (0x00bb0000)
/lib/ld-linux.so.2 (0x00b8f000)
$ ldd vulerable02
linux-gate.so.1 => (0x00d47000)
libc.so.6 => /lib/libc.so.6 (0x00bb0000)
/lib/ld-linux.so.2 (0x00b8f000)
I know that I can use other libraries to get fix physical addresss of
"JMP *%ESP"
or "CALL 8%ESP", but I want to know why is it happening like this?
I tried googling, bt didn't got much.
Linux-gate.so.1 is supposed to have same address space
(that is 0xffffe000 ) in all processes. (as per
http://www.trilithium.com/johan/2005/08/linux-gate/)
Can someone please help me by explaining me why is it happening like this?
I was refering links like
"http://milw0rm.org/papers/55"
"http://rawlab.mindcreations.com/codes/exp/randstack/exp_call_rand.pl"
Thank you.
--
Pravin Shinde
Received on Sep 21 2006
Intro
