Re: Beating memory address randomization (secuirty) features in Unix/Linux
- From: sean <infamous41md@xxxxxxxxxx>
- Date: Fri, 31 Mar 2006 20:35:37 -0500
I believe they're talking about distros WITH RANDOMIZATION IE PAX enabled.
On Fri, 31 Mar 2006 15:01:08 -0700
Don Bailey <don.bailey@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
think deeper , all the distros with randomization I have seen ; also
have null byte in ret to libc addresses , so that wont work here .
Erm, what "distros" are you talking about? I run the latest
Gentoo on sparc64, pa-risc and ppc and none of them
have a nil byte in libc addresses. Besides, that doesn't
always matter.
Think deeper, you're not always working with strings.
Below are some pastes of functionality on different
architectures. Notice the only one that actually shows
nil bytes is sparc64, but you wont have to worry about
that because you're not going to jump to the first 255
bytes.
Don "north" Bailey
Here's SuSE on x86
givingtree.north % ./showstack
&buffer[0]=bf9947b7
givingtree.north % ./showstack
&buffer[0]=bff50067
givingtree.north % ldd ./showstack
linux-gate.so.1 => (0xffffe000)
libc.so.6 => /lib/tls/libc.so.6 (0xb7e39000)
/lib/ld-linux.so.2 (0xb7f59000)
givingtree.north % uname -mr
2.6.16-rc6-givingtree i686
givingtree.north %
Here's Gentoo on PA-RISC
visualize.north % ./showstack
&buffer[0]=faf2c5c8
visualize.north % ./showstack
&buffer[0]=fb16a5c8
visualize.north % ldd showstack
libc.so.6 => /lib/libc.so.6 (0x406ad000)
/lib/ld.so.1 => /lib/ld.so.1 (0x4037d000)
visualize.north % uname -mr
2.6.16-rc5-visualize parisc
visualize.north %
Here's Gentoo on sparcv9
blueberry.snow % ./showstack
&buffer[0]=ef80d997
blueberry.snow % ./showstack
&buffer[0]=efeed997
blueberry.snow % ldd showstack
libc.so.6 => /lib/libc.so.6 (0x70030000)
/lib/ld-linux.so.2 (0x70000000)
blueberry.snow % uname -mr
2.6.16.1-blueberry sparc64
blueberry.snow %
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)
iQA/AwUBRC2mpV/Ie1ANMtLuEQKRCgCg0xBuYb2UX66el7eKeA3LDNhsXGoAn32k
HVnpOIYhjgAzCzoDeSd7V5G/
=o9Xn
-----END PGP SIGNATURE-----
--
[ sean ]
[ pgp key id: 0x421C8CD9 ]
[ The advantage of a bad memory is that one enjoys several ]
[ times the same good things for the first time. ]
- Follow-Ups:
- References:
- Prev by Date: Re: Beating memory address randomization (secuirty) features in Unix/Linux
- Next by Date: mpg123 DoS ... It receives a SIGSEGV.
- Previous by thread: Re: Beating memory address randomization (secuirty) features in Unix/Linux
- Next by thread: Re: Beating memory address randomization (secuirty) features in Unix/Linux
- Index(es):
