> BTW, I have just made a generic buffer overflow exploit using this method:
> it does PTRACE_SINGLESTEP to find system() entry point, and then fills the
> buffer with the following pattern: {system_addr, system_addr, string_addr,
> string_addr} -- 4 int's (16 bytes) total. This is a bit more complicated
> than what I was telling earlier (I forgot about the return address, which
> we have to leave space for), but still requires at most two tries until it
> works on an aligned buffer, and up to 8 tries on an unaligned one (which is
> the case for /usr/bin/lpr that I was testing with).
What about mapping libc always onto addresses that have a 0xab******
pattern, and then forbidding character '0xab' in argv[] and envp[] strings
[done by the kernel].
this way it would be harder to generate a valid libc address via parameter
overflow? [i'm assuming that the only open communication channel to get
attack code into the process is argv[] and envp[]]
Also, an attack warning could be issued if the kernel detects 'illegal'
characters in parameter strings (for priviledged processes only). [how
'illegal' is defined depends on locale settings]
-- mingo