On Thursday 06 October 2005 21:31, Marco Matthies wrote:
> Hemmann, Volker Armin wrote:
> > to do this fancy jump-around stuff, you need to know exactly where which
> > snippet resides in ram - one error and all your work is lost.
> >
> > So, and because on gentoo everything is compiled by yourself with a
> > little bit different setting like the next gentoo user, it is a lot
> > harder to guess the correct adresses. Not like the binary distributions,
> > where one is laid out like the other.
>
> Well, lets find out. On my home system, i did this:
>
> strace gzip > /dev/null
> hit ctrl-c
> find the mmap that maps /lib/libc.so.6 by:
> - find the open call that opens libc, note that the open call returns
> the file descriptor
> - find the next mmap that acts on that fd (second to last argument
> to mmap)
> - mmap returns the address it mmapped to
>
> Short excerpt:
> $ strace gzip > /dev/null
> [...snip...]
> open("/lib/libc.so.6", O_RDONLY) = 3
> [... reads, lseeks and fstats snipped ...]
> mmap(NULL, 2248680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> 0) = 0x2aaaaabc1000
> [...snip...]
>
> I got 0x2aaaaabc1000 on my machine, i would be interested to know what
> your machine did. But judging from the fact that the people from
> hardened added address space layout randomization, i'd guess we're going
> to get the same address or something that varies but not very randomly
> (low entropy). Make sure that you test with gzip though, other apps will
> have slighly different addresses as they seem to load libs in a
> different order -- this won't help though, as an exploit will be
> targeted at a specific app.
>
> But I'm still interested if we all get the same addresses or slightly
> different.
>
and I get:
strace gzip > /dev/null
execve("/bin/gzip", ["gzip"], [/* 63 vars */]) = 0
<snip>
open("/lib/tls/libc.so.6", O_RDONLY) = 3
<snip>
mmap(NULL, 2261000, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x2aaaaabc3000
<snip>
--
Conclusions
In a straight-up fight, the Empire squashes the Federation like a bug. Even
with its numerical advantage removed, the Empire would still squash the
Federation like a bug. Accept it. -Michael Wong
--
[email protected] mailing list
