Hemmann, Volker Armin wrote:
to do this fancy jump-around stuff, you need to know exactly where which
snippet resides in ram - one error and all your work is lost.
So, and because on gentoo everything is compiled by yourself with a little bit
different setting like the next gentoo user, it is a lot harder to guess the
correct adresses. Not like the binary distributions, where one is laid out
like the other.
Well, lets find out. On my home system, i did this:
strace gzip > /dev/null
hit ctrl-c
find the mmap that maps /lib/libc.so.6 by:
- find the open call that opens libc, note that the open call returns
the file descriptor
- find the next mmap that acts on that fd (second to last argument
to mmap)
- mmap returns the address it mmapped to
Short excerpt:
$ strace gzip > /dev/null
[...snip...]
open("/lib/libc.so.6", O_RDONLY) = 3
[... reads, lseeks and fstats snipped ...]
mmap(NULL, 2248680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0x2aaaaabc1000
[...snip...]
I got 0x2aaaaabc1000 on my machine, i would be interested to know what
your machine did. But judging from the fact that the people from
hardened added address space layout randomization, i'd guess we're going
to get the same address or something that varies but not very randomly
(low entropy). Make sure that you test with gzip though, other apps will
have slighly different addresses as they seem to load libs in a
different order -- this won't help though, as an exploit will be
targeted at a specific app.
But I'm still interested if we all get the same addresses or slightly
different.
Marco
--
[email protected] mailing list
