[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] ASLR Question

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] ASLR Question
From: Ben <comsatcat@xxxxxxxxxxxxx>
Date: Wed, 9 Jan 2008 11:51:37 -0700 (GMT-07:00)

I decided to poke around on my friend’s Fedora Core 6 system the other day and 
examine the exec-shield and ASLR mechanisms. So far the combination of 
exec-shield and library addresses having their most significant bit set to 0x00 
has blocked me from developing useful exploitation techniques against the 
system (however I am researching x82’s technique of ret chaining). I have 
managed to find something interesting with ASLR protection. It seems that every 
so many executions, the same stack base address is reused, in sequence. This 
happens more often then not.

I was wondering if this was a known with aslr (it looks entropy related).. on a 
vanilla 2.6.20 kernel with high load I was able to reuse the same stack address 
in sequence hundreds of times out of 1024 trys.

I posted to my blog about it with all the details, so if you'd like you can 
take a look at 
http://www.socialnetworkwhore.com/index.php?blog=5&title=possible_technique_for_bypassing_aslr&more=1&c=1&tb=1&pb=1

Basically I would like to know if I'm on to something here or if this is normal 
behavior for linux aslr.

Thanks in advance,
Ben

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Pre-auth remote commands execution in SAP MaxDB 7.6.03.07
Next by Date: [Full-disclosure] [ GLSA 200801-02 ] R: Multiple vulnerabilities
Previous by thread: [Full-disclosure] Pre-auth remote commands execution in SAP MaxDB 7.6.03.07
Next by thread: [Full-disclosure] [ GLSA 200801-02 ] R: Multiple vulnerabilities
Index(es):
- Date
- Thread