Vulnerability Development mailing list archives
Re: bypassing randomized stack using linux-gate.so.1
From: Jack C <list-recv () crepinc com>
Date: Fri, 22 Sep 2006 00:52:14 -0400
You can't JMP to liux-gate.so on Fedora: It's ASCII Shielded. linux-gate.so.1 => (0x00111000)The first byte is 0x00, or a null char. It's next to impossible to get a NULL as the first byte of the ESP.
Have fun, -Jack Carrozzo jack _[@]_ crepinc.com Pravin wrote:
Hi, I was working with bypassing randomized stack using "linux-gate.so.1" I am using Fedora Core 5 and problem with it is that location of linux-gate.so.1 is not fixed. But other libraries are having fixed location ( like libc.so.6 and ld-linux.so.2 )I changed the value of "/proc/sys/kernel/randomize_va_space" to 0 and tested.But still it was of no use for me. Simillarly I changed the value of "/proc/sys/kernel/exec_shield" to 0 and tested, but even that didn't helped :-( I have given bellow, output of two consecutive ldd executions. $ ldd vulerable02 linux-gate.so.1 => (0x00111000) libc.so.6 => /lib/libc.so.6 (0x00bb0000) /lib/ld-linux.so.2 (0x00b8f000) $ ldd vulerable02 linux-gate.so.1 => (0x00d47000) libc.so.6 => /lib/libc.so.6 (0x00bb0000) /lib/ld-linux.so.2 (0x00b8f000) I know that I can use other libraries to get fix physical addresss of "JMP *%ESP" or "CALL 8%ESP", but I want to know why is it happening like this? I tried googling, bt didn't got much. Linux-gate.so.1 is supposed to have same address space (that is 0xffffe000 ) in all processes. (as per http://www.trilithium.com/johan/2005/08/linux-gate/)Can someone please help me by explaining me why is it happening like this?I was refering links like "http://milw0rm.org/papers/55" "http://rawlab.mindcreations.com/codes/exp/randstack/exp_call_rand.pl" Thank you.
Current thread:
- bypassing randomized stack using linux-gate.so.1 Pravin (Sep 21)
- Re: bypassing randomized stack using linux-gate.so.1 Jack C (Sep 21)
- Re: bypassing randomized stack using linux-gate.so.1 Luciano Miguel Ferreira Rocha (Sep 22)