Re: Beating memory address randomization (secuirty) features in Unix/Linux

As you can see linux-gate.so.1 is linked on stack program and its address isn't randomized.

In this range address there is a lot of instructions mainly JMP *%ESP which can be used to points to stack and execute arbitraty code.


Bothering with the stack is a bore and doesn't always work
depending on the architecture. Easier to just return to libc
since even if the stack base isn't randomized (as it often is,
lately) we don't have to care with finding it. Libc does
everything you'd need to secure control of your target,
anyway.

I pretty much stick with return-to-libc for local exploits
simply because it's often more consistent relative to
results. Your shell (environment variables, etc) plus
other environmental issues will skew stack addresses
slightly enough to make exploitation a little bother.
However, libc always maps to the same place. Then
you really only have to worry about the version you're
using.

Don "north" Bailey

Relevant Pages

  • Re: Allocating stack storage on Solaris?
    ... libc could gain that knowledge, ... the risk of failure minimal but still real. ... You have the same risk of failure if your stack size is too small. ...
    (comp.unix.solaris)
  • Re: Allocating stack storage on Solaris?
    ... to have no way of knowing how much stack there ... The alloca() function has always been a hack, ... That was not finger pointing, but rather an explanation of the usual ... when the OS depends on libc instead of providing all the stuff applications ...
    (comp.unix.solaris)
  • Re: Beating memory address randomization (secuirty) features in Unix/Linux
    ... all the distros with randomization I have seen; ... have null byte in ret to libc addresses, so that wont work here. ... which can be used to points to stack and execute arbitraty code. ...
    (Vuln-Dev)
  • Re: the general serve is not sufficient
    ... H. Peter Anvin wrote: ... libc creates a minimal-ish wrapper for that. ... I'll try that, and/or allocating a stack to pass... ... libc, however, you really want to use pthread_createthough. ...
    (alt.lang.asm)
  • [LINUX] ENV VAR addresses
    ... i read that the address of the environment variables ... I need these infos cuz i need to put datas in the stack to be easily ... picked up by the program itself, without using getenv, only with an ...
    (comp.lang.c)