Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Apr 2013
linux-gate.so Randomization Even Prior to 2.6.18
I'm doing a presentation for school on attacks against address space layout randomization. I plan on demonstrating either a return-to-libc attack or a similar ROP technique using linux-gate.so.
I've read 'Hacking - The Art of Exploitation' which describes the linux-gate.so technique. It's the same type of ROP used in return-to-libc except you use linux-gate.so instead of libc.so. On kernel versions prior to 2.6.18, ASLR could still be bypassed because linux-gate.so (and libc.so, I assume) were still always loaded at the same address.
So my project should be as simple as using a distro compiled with anything pre-2.6.18, right? Not exactly. I've done just that with Fedora Core 5 and 4 (kernel 2.6.15 and 2.6.11 respectively) but linux-gate.so and libc.so and everything else for that matter are still loaded at random addresses each time I check using ldd. It doesn't matter whether ASLR is turned on or off in /proc/sys/kernel/randomize_va_space (even though it's supposed to work with it set to 0).
If I am using a kernel prior to 2.6.18, what could be causing these libraries to still be loaded randomly?
- Join Date
- Apr 2009
- I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
It is possible that the kernels in question had been patched to fix this issue.Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!