Re: Beating memory address randomization (secuirty) features in Unix/Linux
- From: Don Bailey <don.bailey@xxxxxxxxx>
- Date: Fri, 31 Mar 2006 11:45:47 -0700
As you can see linux-gate.so.1 is linked on stack program and its address isn't randomized.
In this range address there is a lot of instructions mainly JMP *%ESP which can be used to points to stack and execute arbitraty code.
Bothering with the stack is a bore and doesn't always work
depending on the architecture. Easier to just return to libc
since even if the stack base isn't randomized (as it often is,
lately) we don't have to care with finding it. Libc does
everything you'd need to secure control of your target,
I pretty much stick with return-to-libc for local exploits
simply because it's often more consistent relative to
results. Your shell (environment variables, etc) plus
other environmental issues will skew stack addresses
slightly enough to make exploitation a little bother.
However, libc always maps to the same place. Then
you really only have to worry about the version you're
Don "north" Bailey
- Prev by Date: Re: Re: HTTP proxy/redirector to a unique virtual host ....
- Previous by thread: Re: Beating memory address randomization (secuirty) features in Unix/Linux
- Next by thread: Re: Beating memory address randomization (secuirty) features in Unix/Linux