From: John Richard Moser <nigelenki@comcast.net>
To: Arjan van de Ven <arjan@infradead.org>
Cc: linux-os@analogic.com,
Linux kernel <linux-kernel@vger.kernel.org>,
akpm@osdl.org
Subject: Re: Patch 4/6 randomize the stack pointer
Date: Thu, 27 Jan 2005 15:13:14 -0500 [thread overview]
Message-ID: <41F94B5A.2030301@comcast.net> (raw)
In-Reply-To: <1106856178.5624.128.camel@laptopd505.fenrus.org>
[-- Attachment #1.1: Type: text/plain, Size: 1171 bytes --]
In other words, no :)
Here's self-exploiting code to discover its own return address offset
and exploit itself. It'll lend some insight into how this stuff works.
Just a toy.
Arjan van de Ven wrote:
> On Thu, 2005-01-27 at 14:19 -0500, linux-os wrote:
>
>>Gentlemen,
>>
>>Isn't the return address on the stack an offset in the
>>code (.text) segment?
>>
>>How would a random stack-pointer value help? I think you would
>>need to start a program at a random offset, not the stack!
>>No stack-smasher that worked would care about the value of
>>the stack-pointer.
>
>
> the simple stack exploit works by overflowing a buffer ON THE STACK with
> a "dirty payload and then also overwriting the return address to point
> back into that buffer.
>
> (all the security guys on this list will now cringe about this over
> simplification; yes reality is more complex but lets keep the
> explenation simple for Richard)
>
> pointing back into that buffer needs the address of that buffer. That
> buffer is on the stack, which is now randomized.
>
>
>
--
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
[-- Attachment #1.2: exploit.c --]
[-- Type: text/plain, Size: 1027 bytes --]
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int payload();
int exploit(char *d);
int main() {
int distance;
char a[512] = {0};
distance = exploit(NULL);
memset(a, 0xFF, distance);
/*Get our payload address*/
*(void**)(a + distance) = &payload;
*(void**)(a + distance + sizeof(void*)) = 0; /*cap*/
/*exploit the payload*/
exploit(a);
/*we never reach this*/
return 255;
}
/*
* exploit()
* This overflows its own buffers and causes the return to jump to payload()
*/
int exploit(char *d) {
char a[400] = {0};
void *i;
int distance = 0;
char payld[sizeof(void*) + 1];
void *myret;
void *z;
if (!d) {
myret = __builtin_return_address(0);
/*find the distance between a and myret*/
for (i = (void*)a; *(void**)i != myret; i++) {
distance++;
}
return distance;
}
/*We're passed a d buffer, so strcpy it unsafely*/
strcpy(a,d);
/*Return to payload()*/
return 1;
}
int payload() {
printf("Payload executed successfully!\n");
/*0: Unsafe; successful exploit*/
_exit(0);
}
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]
next prev parent reply other threads:[~2005-01-27 20:16 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-27 10:11 Patch 0/6 virtual address space randomisation Arjan van de Ven
2005-01-27 10:12 ` Patch 1/6 introduce sysctl Arjan van de Ven
2005-01-27 10:36 ` Andi Kleen
2005-01-27 11:13 ` Arjan van de Ven
2005-01-27 18:16 ` Pavel Machek
2005-01-27 19:11 ` Ingo Molnar
2005-01-27 19:46 ` Dave Jones
2005-01-27 19:53 ` Ingo Molnar
2005-01-27 19:53 ` Arjan van de Ven
2005-02-04 21:27 ` Benoit Boissinot
2005-01-27 10:12 ` Patch 2/6 introduce helper infrastructure Arjan van de Ven
2005-01-27 10:41 ` Andi Kleen
2005-01-27 11:58 ` Arjan van de Ven
2005-01-27 12:27 ` Andi Kleen
2005-01-27 12:43 ` Arjan van de Ven
2005-02-01 21:14 ` Matt Mackall
2005-01-27 10:12 ` Patch 3/6 per process flag Arjan van de Ven
2005-01-27 10:13 ` Patch 4/6 randomize the stack pointer Arjan van de Ven
2005-01-27 10:21 ` Christoph Hellwig
2005-01-27 17:38 ` John Richard Moser
2005-01-27 17:47 ` Arjan van de Ven
2005-01-27 18:04 ` John Richard Moser
2005-01-27 18:09 ` Arjan van de Ven
2005-01-27 18:12 ` Christoph Hellwig
2005-01-27 18:16 ` Linus Torvalds
2005-01-27 18:28 ` Linus Torvalds
2005-01-27 18:55 ` John Richard Moser
2005-01-27 18:49 ` John Richard Moser
2005-01-27 19:30 ` Linus Torvalds
2005-01-27 19:48 ` Arjan van de Ven
2005-01-27 19:59 ` Linus Torvalds
2005-01-27 20:04 ` Arjan van de Ven
2005-01-27 20:08 ` John Richard Moser
2005-01-27 19:19 ` linux-os
2005-01-27 19:52 ` Julien TINNES
2005-01-27 20:02 ` Arjan van de Ven
2005-01-27 20:13 ` John Richard Moser [this message]
2005-01-27 21:33 ` jnf
2005-01-28 17:22 ` Paulo Marques
2005-01-28 17:51 ` John Richard Moser
2005-01-28 18:42 ` Ingo Molnar
2005-01-29 6:04 ` John Richard Moser
2005-01-27 20:37 ` linux-os
2005-01-27 20:45 ` John Richard Moser
2005-01-27 21:39 ` John Richard Moser
2005-01-27 21:53 ` Arjan van de Ven
2005-01-27 22:34 ` John Richard Moser
2005-01-29 2:50 ` Rik van Riel
2005-01-29 6:31 ` John Richard Moser
2005-01-29 8:10 ` Arjan van de Ven
[not found] ` <41FBB821.3000403@comcast.net>
2005-01-29 16:42 ` Arjan van de Ven
2005-01-29 16:59 ` John Richard Moser
2005-01-29 16:46 ` Arjan van de Ven
2005-01-29 17:04 ` John Richard Moser
2005-01-29 17:37 ` Jakub Jelinek
2005-01-29 17:49 ` John Richard Moser
2005-01-29 17:55 ` Christoph Hellwig
2005-01-29 18:10 ` John Richard Moser
2005-01-29 18:12 ` Rik van Riel
2005-01-29 18:16 ` Christoph Hellwig
2005-01-29 7:46 ` John Richard Moser
2005-01-27 18:40 ` Felipe Alfaro Solana
2005-01-27 22:31 ` Jirka Kosina
2005-01-28 5:58 ` Ingo Molnar
2005-01-28 19:02 ` David Lang
2005-01-28 7:33 ` Arjan van de Ven
2005-01-27 19:43 ` Julien TINNES
2005-01-28 0:10 ` H. Peter Anvin
2005-01-28 0:23 ` Roland Dreier
2005-01-28 1:06 ` H. Peter Anvin
2005-01-28 2:03 ` Horst von Brand
2005-01-28 8:45 ` Julien TINNES
2005-01-27 20:23 ` Christoph Hellwig
2005-01-27 20:27 ` Arjan van de Ven
2005-01-27 20:32 ` Christoph Hellwig
2005-01-27 20:35 ` Arjan van de Ven
2005-01-27 20:40 ` Rik van Riel
2005-01-27 20:42 ` Christoph Hellwig
2005-01-27 20:56 ` Arjan van de Ven
2005-01-27 21:13 ` Linus Torvalds
2005-01-27 10:13 ` Patch 5/6 randomize mmap addresses Arjan van de Ven
2005-01-27 10:14 ` Patch 6/6 default enable randomisation for -mm Arjan van de Ven
2005-01-27 11:45 ` Patch 0/6 virtual address space randomisation Julien TINNES
2005-01-27 11:57 ` Arjan van de Ven
2005-01-27 17:42 ` John Richard Moser
2005-01-27 19:34 ` Julien TINNES
2005-01-27 19:57 ` John Richard Moser
2005-01-27 20:13 ` Arjan van de Ven
2005-01-28 8:45 ` David Weinehall
-- strict thread matches above, loose matches on Subject: below --
2005-01-31 10:55 Patch 4/6 randomize the stack pointer linux
2005-01-31 17:28 ` John Richard Moser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41F94B5A.2030301@comcast.net \
--to=nigelenki@comcast.net \
--cc=akpm@osdl.org \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-os@analogic.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.