linux-gate.so Randomization Even Prior to 2.6.18
I'm doing a presentation for school on attacks against address space layout randomization. I plan on demonstrating either a return-to-libc attack or a similar ROP technique using linux-gate.so.
I've read 'Hacking - The Art of Exploitation' which describes the linux-gate.so technique. It's the same type of ROP used in return-to-libc except you use linux-gate.so instead of libc.so. On kernel versions prior to 2.6.18, ASLR could still be bypassed because linux-gate.so (and libc.so, I assume) were still always loaded at the same address.
So my project should be as simple as using a distro compiled with anything pre-2.6.18, right? Not exactly. I've done just that with Fedora Core 5 and 4 (kernel 2.6.15 and 2.6.11 respectively) but linux-gate.so and libc.so and everything else for that matter are still loaded at random addresses each time I check using ldd. It doesn't matter whether ASLR is turned on or off in /proc/sys/kernel/randomize_va_space (even though it's supposed to work with it set to 0).
If I am using a kernel prior to 2.6.18, what could be causing these libraries to still be loaded randomly?