Vulnerability Development mailing list archives

Re: Beating memory address randomization (secuirty) features in Unix/Linux

From: Andrea Purificato - bunker <bunker () fastwebnet it>
Date: Mon, 3 Apr 2006 23:04:25 +0200

Alle 15:52, sabato 25 marzo 2006, hd12787 () yahoo com ha scritto:

I've studied how to beat memory adress randomization.  Does anyone know how
to beat memory address randomization in Unix/Linux?


Today i've studied the problem on my linux box (2.6.15.6), and i've written 
two case study samples on the false line of "xgc" message:

[jmp *%esp technic]
http://rawlab.altervista.org/codes/exp/randstack/exp_jmp_rand.pl

[call *%edx technic]
http://rawlab.altervista.org/codes/exp/randstack/exp_call_rand.pl

This second case study was developed trying to exploit famous "abo3.c" 
vulnerable program (see gera advanced overflow contest).

I hope you like that!
-- 
Andrea "bunker" Purificato
+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.

http://rawlab.altervista.org

Current thread:

Re: Beating memory address randomization (secuirty) features in Unix/Linux sean (Apr 03)
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Don Bailey (Apr 03)
  - Re: Beating memory address randomization (secuirty) features in Unix/Linux Mike Davis (Apr 03)
- <Possible follow-ups>
- Re: Beating memory address randomization (secuirty) features in Unix/Linux Andrea Purificato - bunker (Apr 03)