Re: Patch 4/6 randomize the stack pointer
From: linux-os
Date: Thu Jan 27 2005 - 15:42:24 EST
On Thu, 27 Jan 2005, Arjan van de Ven wrote:
On Thu, 2005-01-27 at 14:19 -0500, linux-os wrote:
Gentlemen,
Isn't the return address on the stack an offset in the
code (.text) segment?
How would a random stack-pointer value help? I think you would
need to start a program at a random offset, not the stack!
No stack-smasher that worked would care about the value of
the stack-pointer.
the simple stack exploit works by overflowing a buffer ON THE STACK with
a "dirty payload and then also overwriting the return address to point
back into that buffer.
Yes.
(all the security guys on this list will now cringe about this over
simplification; yes reality is more complex but lets keep the
explenation simple for Richard)
Sure, be cute.
pointing back into that buffer needs the address of that buffer. That
buffer is on the stack, which is now randomized.
Wrong concept. Your exploit program simply needs fill with a guad-
byte offset such as 0x02020202 and put your payload at that
offset. You don't care where the stack-pointer is. You find
out how many bytes of 0x02 are necessary to get to that offset
on an experimental system, it is independent of the stack-pointer
value. It depends only upon the size of the buffer you are
exploiting, which needs to not change, of course.
When the return instruction occurs, one of those 0x02020202
will be encountered and your payload gets executed next.
Note that you should chose a different repeating-byte
than I have used here. Get the address of _end on a 'C'
program for hints.
Cheers,
Dick Johnson
Penguin : Linux version 2.6.10 on an i686 machine (5537.79 BogoMips).
Notice : All mail here is now cached for review by Dictator Bush.
98.36% of all statistics are fiction.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/