| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8099035.1199904697318.JavaMail.root@elwamui-polski.atl.sa.earthlink.net> Date: Wed, 9 Jan 2008 11:51:37 -0700 (GMT-07:00) From: Ben <comsatcat@...thlink.net> To: full-disclosure@...ts.grok.org.uk Subject: ASLR Question I decided to poke around on my friend’s Fedora Core 6 system the other day and examine the exec-shield and ASLR mechanisms. So far the combination of exec-shield and library addresses having their most significant bit set to 0x00 has blocked me from developing useful exploitation techniques against the system (however I am researching x82’s technique of ret chaining). I have managed to find something interesting with ASLR protection. It seems that every so many executions, the same stack base address is reused, in sequence. This happens more often then not. I was wondering if this was a known with aslr (it looks entropy related).. on a vanilla 2.6.20 kernel with high load I was able to reuse the same stack address in sequence hundreds of times out of 1024 trys. I posted to my blog about it with all the details, so if you'd like you can take a look at http://www.socialnetworkwhore.com/index.php?blog=5&title=possible_technique_for_bypassing_aslr&more=1&c=1&tb=1&pb=1 Basically I would like to know if I'm on to something here or if this is normal behavior for linux aslr. Thanks in advance, Ben _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists