Re: Library address randomization



On Jan 22, 2009, at 5:03 PM, Ricardo Rolim wrote:
Currently I'm using Fedora 10 and apparently I'm not getting any library address randomization for programs compiled as PIE. Whereas the binary itself, stack and heap are randomly getting their addresses changed from one execution to the next, the library stands still at a predictable location. Strangely enough I've got the expected result out of Ubuntu 8.10. This is how I'm checking:

[ricardo@localhost ~]$ ./dummy
printf: 0x17c900
main : 0xb7f8851c
[ricardo@localhost ~]$ ./dummy
printf: 0x17c900
main : 0xb7f5051c

Ricardo -

While the libc addresses are not being randomized (try 'ldd ./dummy' to see the actual library base addresses), on Fedora they are ASCII shielded (aka ASCII armor). You will notice that the first and last bytes of your printf() call are null bytes (0x00 17 c9 00). Fedora maps shared libraries into this region (the first 16MB of addressable memory, always beginning with 0x00) as a protective measure to prevent ret2libc type exploits and null pointer dereferencing. Although it's possible to write a null byte, especially if you arrange for the data you overflow a buffer with to end at the right length, in this case you will find it quite difficult to write both null bytes needed to address printf() in libc.

Google for 'fedora ascii shield' and you'll find a wealth of information on the subject. You will also find that such protection really isn't terribly protective. In this specific case, the printf() address has a null byte on both sides - so if you're writing a string, you won't be able to write two null bytes. But on x86 and other little endian machines, writing an address like 0x00badbad is still feasible via string operations... printf("\xad\xdb\xba\x00") will get you there, for example. And of course, any operations that work on raw byte values and not string operations, will still work just fine.

HTH
-c



Relevant Pages

  • Re: Verbose functional languages?
    ... convenience of printf for that. ... would suggests thinking about designing and implementing libraries for ... You might even be able to mostly eliminate explicit formatting from your ... SML version, something like ...
    (comp.lang.functional)
  • Re: to learn jQuery if already using prototype
    ... the navigator.userAgent string is a reflection of the HTTP User Agent ... header then any such direction must lead to the definition of the header ... browsers using the UA string whenever two different browsers use UA ... things that gets proposed as a justification for libraries of this sort ...
    (comp.lang.javascript)
  • Re: How rreliable is the CLSID method of obtaining a file location?
    ... Tlbinf32.dll is a wrapper around the typelib ... Some libraries meant to be used by native code ... If the library has a dispatch interface, ... mean by the server.class string. ...
    (microsoft.public.vb.general.discussion)
  • Re: Send an e-mail?
    ... Private Declare Function ShellExecute Lib "shell32.dll" Alias "ShellExecuteA" (ByVal hWnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long ... It will also be in their outbox if their email client is configured to save sent emails. ... Another method is to use Collaboration Data Objects, or CDO. ... VB even includes MAPI controls you can use and there are third-party controls and libraries ...
    (microsoft.public.vb.general.discussion)
  • Re: casts
    ... like you insist that every time you encounter a string you have to re- ...  Do you think libraries don't exist for C? ... But in mathematics there are correct answers. ...
    (comp.lang.c)