bypassing randomized stack using linux-gate.so.1

[Pravin <shindepravin () gmail com>]

Hi,
I was working with bypassing randomized stack using "linux-gate.so.1"
I am using Fedora Core 5 and problem with it is that location of
linux-gate.so.1 is not fixed.
But other libraries are having fixed location ( like libc.so.6 and
ld-linux.so.2 )

I changed the value of "/proc/sys/kernel/randomize_va_space" to 0 and tested.
But still it was of no use for me.
Simillarly I changed the value of "/proc/sys/kernel/exec_shield" to 0
and tested,
but even that didn't helped :-(

I have given bellow, output of two consecutive ldd executions.

$ ldd vulerable02
linux-gate.so.1 =>  (0x00111000)
libc.so.6 => /lib/libc.so.6 (0x00bb0000)
/lib/ld-linux.so.2 (0x00b8f000)

$ ldd vulerable02
linux-gate.so.1 =>  (0x00d47000)
libc.so.6 => /lib/libc.so.6 (0x00bb0000)
/lib/ld-linux.so.2 (0x00b8f000)

I know that I can use other libraries to get fix physical addresss of
"JMP *%ESP"
or "CALL 8%ESP", but I want to know why is it happening like this?

I tried googling, bt didn't got much.
Linux-gate.so.1 is supposed to have same address space
(that is 0xffffe000 ) in all  processes. (as per
http://www.trilithium.com/johan/2005/08/linux-gate/)

Can someone please help me by explaining me why is it happening like this?

I was refering links like
"http://milw0rm.org/papers/55";
"http://rawlab.mindcreations.com/codes/exp/randstack/exp_call_rand.pl";

Thank you.
--
Pravin Shinde