Metasploit mailing list archives
stack randomization
From: 0x0804 at gmail.com (curious one)
Date: Mon, 10 Apr 2006 16:02:48 +0400
Is there memory protection mechanism of some kind in Slackware? I did the following to check if I can land into same nop zone, if not the exact address but still somewhere inteh nop zone. I was following the server code as listed in this tutorial : http://www.exploitx.com/forum/azbb.php?1112286936 . Now when I am running this code in gdb, and over flow it with an input of 1034 A's, I can over write EIP completely: Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () So I did a (gdb) x/200bx $esp-200 and selected an address whih was somewhere in the middle of the A's zone :0xbfe4b338. For ease I choose 11th line from the command to see if next time when I get the address in the same range. I killed the server and repeated the same process over and over again. Everytime the choosen position reflected different register and not just different, it was a difference of quite a bit. Follwoing are the addresses reflected in the choosen position in various iterations: 1st iteration 0xbfe4b338 2nd iteration 0xbfd1bcb8 3rd iteration 0xbf898228 4th iteration 0xbffe7208 If total length of my shellcode is to be 2000 (7D0h), how would I go about choosing the return address? As teh scenerio I am trying to stimulate is of a remote exploit, how would I get around to this randomization? Any good reads about this? Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060410/1fee2c33/attachment.htm>
Current thread:
- stack randomization curious one (Apr 10)